Chownr is a lightweight npm package designed to recursively change file ownership, functioning similarly to the chown -R command in Unix-like systems. Version 0.0.2, released in May 2015, builds upon the initial 0.0.1 release from June 2012, offering refined functionality for developers needing to manage file permissions in their Node.js projects.
A key difference lies in the licensing; version 0.0.1 was released under the BSD license, while version 0.0.2 transitioned to the ISC license. This change might be relevant for developers with specific licensing requirements for their projects. The core functionality remains consistent: recursively changing the owner and group of files and directories. Both versions rely on tap for testing, mkdirp for creating directories, and rimraf for removing directories during the development process.
Notably, version 0.0.2 introduces a dependencies field, albeit empty, indicating a potential shift in how dependencies were being managed, even if no external dependencies were actually added. More so, it's important to highlight that developers often use chownr to address permission issues that arise when applications create files with incorrect ownership, especially in containerized environments or during deployment. The package offers a programmatic way to ensure correct file ownership, simplifying the setup and maintenance of Node.js applications.
All the vulnerabilities related to the version 0.0.2 of the package
Time-of-check Time-of-use (TOCTOU) Race Condition in chownr
A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
