Suspicious file
-
Hey @planner -- the path of the file suggests that
tough-cookie
is Node.js module that is a dependency ofrequest
, which is globally installed.In fact, the path you pasted isn't even a NodeBB directory... so possibly could be an issue with the
tough-cookie
package. -
Nope... and it's not part of NodeBB either (although we use it in our hosting platform, which is completely separate).
At some point, it looks like you ran
sudo npm install -g request
. That's why that package is installed in/usr/lib/node_modules
-
No, I didn't install anything like that. What has me worried is the content of the public-suffix.txt in particular and all the files and directories under the tough-cookie directory. The GitHub page for that project is at https://github.com/goinstant/tough-cookie.
Is that legit?
-
Looks like a legit module.
-
To be fair, request is actually a dependency of npm.
https://github.com/npm/npm/blob/master/package.json#L75 -
Not being a Node guru and not knowing what the contents of that file should be, I had to check. Does it make any sense for that file (public-suffix.txt ) to contain a listing of more websites than I ever come across in one file?
I did check out the company behind it and they seem legit, but I still had to satisfy my paranoid self.
-
@planner it's probably this file from their repo: https://github.com/goinstant/tough-cookie/blob/master/public-suffix.txt
So all should be good.