On 10/07/2013 18:59, Daniel Kahn Gillmor wrote: > I notice that your message was sent privately to me, > ../.. feel free to post copies of it to the BTS.
My mistake. > On 07/10/2013 12:31 PM, Jérémy Lal wrote: >> On 10/07/2013 18:17, Daniel Kahn Gillmor wrote: > >>> I confess i'm kind of amazed that node doesn't have any primitive like >>> mkstemp(3), or if it does, that npm isn't using such a primitive. >> >> Using a module : >> https://github.com/bruce/node-temp > > heh. and npm can't rely on that because the only way to install it is > with npm itself, lovely :/ No, it's perfectly fine for npm to depend on a number of modules, since npm tarball contains its own node_modules. Upstream npm is relatively open to patches that separate functions in a module, and node-temp seems well maintained. >>> Has a CVE been requested or assigned for this yet? I'd be happy to make >>> the request if you think that would be useful. >> >> I'm going to upload latest nodejs/npm to unstable this summer, >> not so sure a CVE is worth it. > > I appreciate your staying on top of the uploads. I'm not sure how that > relates to the relevance or worth of a CVE for the issue, though. > > I'll go ahead and request one unless there is a strong reason not to. Okay. Jérémy. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org