From 0389f874950628fe6edd8c3b5e21b31f87f0ead7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Thu, 11 May 2023 15:57:02 +0200 Subject: [PATCH] msi: do not create AppData\Roaming\npm This effectively reverts e431cae7e70069cd1631081f9dca09990b948feb due to security concerns. The directory is being created with elevated privileges but its path may depend on an unprivileged user's environment variables. Creating a directory in certain sensitive locations can cause Windows to become inoperable. Creating AppData\Roaming\npm was an intentional addition in order to resolve https://github.com/nodejs/node-v0.x-archive/issues/8141, which appears to have been a common issue for users of npm. However, this was implemented before 4cfe5eb9af9d0a46ab6bfe3a4a49c4b1e43513b0, which changed the MSI installation scope to perMachine. There were concerns about creating the npm directory in that PR, albeit not related to security (see https://github.com/nodejs/node-v0.x-archive/pull/25640). Refs: https://github.com/nodejs/node-v0.x-archive/issues/8141 Refs: https://github.com/nodejs/node-v0.x-archive/pull/8838 Refs: https://github.com/nodejs/node-v0.x-archive/pull/25640 PR-URL: https://github.com/nodejs-private/node-private/pull/408 Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/430 Reviewed-By: Rich Trott CVE-ID: CVE-2023-30585 --- tools/msvs/msi/product.wxs | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tools/msvs/msi/product.wxs b/tools/msvs/msi/product.wxs index 0c9c09e5b07010..bc709013f1bb86 100755 --- a/tools/msvs/msi/product.wxs +++ b/tools/msvs/msi/product.wxs @@ -76,7 +76,6 @@ - @@ -107,7 +106,6 @@ - @@ -266,16 +264,6 @@ - - - - - - - - - -