This package appears to have a TOCTOU bug, which can trick it into
descending into unintended trees if a non-symlink is replaced by a
symlink at a critical moment:
fs.lstat(pathChild, function(er, stats) {
if (er)
return cb(er)
if (!stats.isSymbolicLink())
chownr(pathChild, uid, gid, then)
(I did not prove this, it's a claim by inspection only)
this can best be fixed by using modern "*at" APIs such as fchownat,
as chmod(1) does at least as far back as Debian Wheezy, but I
suspect these are probably not readily available in the node
ecosystem.
Besides that, the package's testsuite unsafely uses predictable
filenames in "/tmp". (see at least test/sync.js in master branch)
At a minimum, it can probably be tricked into changing the group of
an arbitrary file the test-running user owns.
Jeff
