From 3bd68617ca86cfbeb9da0115f03d8aeb3395f9d5 Mon Sep 17 00:00:00 2001
From: Paolo Greppi <paolo.greppi@libpf.com>
Date: Fri, 10 Aug 2018 12:53:33 +0200
Subject: [PATCH] use fs.lchown rather than fs.chown and thereby fix #14

fixes the symlinks problem #3 while not causing the TOCTOU vulnerability #14

The [patch in libuv 1.21.0](https://github.com/libuv/libuv/releases/tag/v1.21.0) that undeprecates `fs.lchown` [has been incorporated in nodejs Version 10.6.0](https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V10.md#2018-07-04-version-1060-current-targos).

So I specified the minimum nodejs version in `package.json` with the `engine` key: https://docs.npmjs.com/files/package.json#engines
---
 chownr.js    | 11 ++---------
 package.json |  3 ++-
 2 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/chownr.js b/chownr.js
index ecd7b45..8112967 100644
--- a/chownr.js
+++ b/chownr.js
@@ -15,19 +15,12 @@ function chownr (p, uid, gid, cb) {
     , errState = null
     children.forEach(function (child) {
       var pathChild = path.resolve(p, child);
-      fs.lstat(pathChild, function(er, stats) {
-        if (er)
-          return cb(er)
-        if (!stats.isSymbolicLink())
-          chownr(pathChild, uid, gid, then)
-        else
-          then()
-        })
+      chownr(pathChild, uid, gid, then)
     })
     function then (er) {
       if (errState) return
       if (er) return cb(errState = er)
-      if (-- len === 0) return fs.chown(p, uid, gid, cb)
+      if (-- len === 0) return fs.lchown(p, uid, gid, cb)
     }
   })
 }
diff --git a/package.json b/package.json
index 6b31a60..582f172 100644
--- a/package.json
+++ b/package.json
@@ -19,5 +19,6 @@
   "scripts": {
     "test": "tap test/*.js"
   },
-  "license": "ISC"
+  "license": "ISC",
+  "engines": { "node" : ">=10.6.0" }
 }