Security: Vim: don't search in node_modules by default

strager · strager · commit 6697f3905d27 · 2021-05-30T18:47:55.000-07:00
diff --git a/plugin/vim/quick-lint-js.vim/ale_linters/javascript/quick_lint_js.vim b/plugin/vim/quick-lint-js.vim/ale_linters/javascript/quick_lint_js.vim
@@ -5,7 +5,7 @@
 " https://github.com/dense-analysis/ale
 
 call ale#Set('javascript_quick_lint_js_executable', 'quick-lint-js')
-call ale#Set('javascript_quick_lint_js_use_global', get(g:, 'ale_use_global_executables', 0))
+call ale#Set('javascript_quick_lint_js_use_global', get(g:, 'ale_use_global_executables', v:true))
 
 " TODO(strager): Make quick-lint-js-lsp the default when the bugs have been
 " ironed out:
diff --git a/plugin/vim/quick-lint-js.vim/doc/quick-lint-js.txt b/plugin/vim/quick-lint-js.vim/doc/quick-lint-js.txt
@@ -91,12 +91,17 @@ g:ale_javascript_quick_lint_js_use_global
 				*g:ale_javascript_quick_lint_js_use_global*
 				*b:ale_javascript_quick_lint_js_use_global*
   Type: |Boolean|
-  Default: `v:false`
+  Default: `v:true`
 
 Set this variable to `v:false` to search for `quick-lint-js` in `node_modules`
 first, and if it's not found, use |g:ale_javascript_quick_lint_js_executable|.
 
 Set this variable to `v:true` to only use
 |g:ale_javascript_quick_lint_js_executable|.
 
+For security reasons, we recommend leaving this variable at its default value
+(`v:true`). If this variable is set to `v:false`, then a malicious project
+could run arbitrary code on your computer through `node_modules` if you open a
+JavaScript file.
+
  vim:tw=78:ts=8:noet:ft=help:norl:
