@julian, @baris and @psychobunny, should there be a file named public-suffix.txt in an installation of NodeBB, under the /usr/lib/node_modules/npm/node_modules/request/node_modules/tough-cookie/ directory?
Is there even a directory named tough-cookie in an installation of NodeBB?
Hey @planner -- the path of the file suggests that
tough-cookieis Node.js module that is a dependency of
request, which is globally installed.
In fact, the path you pasted isn't even a NodeBB directory... so possibly could be an issue with the
Ok, is that something that's supposd to be in an installation of Node.JS?
Nope... and it's not part of NodeBB either (although we use it in our hosting platform, which is completely separate).
At some point, it looks like you ran
sudo npm install -g request. That's why that package is installed in
No, I didn't install anything like that. What has me worried is the content of the public-suffix.txt in particular and all the files and directories under the tough-cookie directory. The GitHub page for that project is at https://github.com/goinstant/tough-cookie.
Is that legit?
Looks like a legit module.
Since that is something I did not install and it's not a part of NodeBB, I'm guessing it should be save to remove the request module. I get real edgy when I see something that I can't account for.
Yeah, legit. Did it show up in your filesystem monitoring tools? If so, raise an issue on the tough-cookie issue tracker asking about the cookie.
To be fair, request is actually a dependency of npm.
Not being a Node guru and not knowing what the contents of that file should be, I had to check. Does it make any sense for that file (public-suffix.txt ) to contain a listing of more websites than I ever come across in one file?
I did check out the company behind it and they seem legit, but I still had to satisfy my paranoid self.
@planner it's probably this file from their repo: https://github.com/goinstant/tough-cookie/blob/master/public-suffix.txt
So all should be good.
That'll calm me down. Thanks.