search

yao-pkg / pkg

Package your Node.js project into an executable
https://www.npmjs.com/package/@yao-pkg/pkg
MIT License
312 stars 11 forks source link

fix: use cache directory in users home instead of system-wide tmp dir #55

Closed kayahr closed 4 months ago

kayahr commented 4 months ago

Using a cache directory in users home directory fixes problems with conflicting user permissions and is also more secure because other users cannot inject executable code by placing a manipulated file in tmp.

Fixes #51

quentinmit commented 2 months ago

This PR just hit a program I use and caused an outage because we don't run with writable home directories. The resulting traceback doesn't really explain the problem:

Error: EPERM: operation not permitted, mkdir '/var/empty/.cache'
    at Object.mkdirSync (node:fs:1391:3)
    at Object.mkdirSync (pkg/prelude/bootstrap.js:1639:33)
    at createDirRecursively (pkg/prelude/bootstrap.js:256:8)
    at createDirRecursively (pkg/prelude/bootstrap.js:255:5)
    at createDirRecursively (pkg/prelude/bootstrap.js:255:5)
    at process.dlopen (pkg/prelude/bootstrap.js:2217:7)
    at Object.Module._extensions..node (node:internal/modules/cjs/loader:1452:18)
    at Module.load (node:internal/modules/cjs/loader:1197:32)
    at Function.Module._load (node:internal/modules/cjs/loader:1013:12)
    at Module.require (node:internal/modules/cjs/loader:1225:19)

It would be much better if this had a fallback to a secure temporary directory, and a clear error message when that fails.

robertsLando commented 2 months ago

@quentinmit I think we can fix this by using an env var to customize that dir on needs. Want to submit a PR?