From 87d9f7908b2e39cf78afa1e8a326ee4f7d7fd3af Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Fri, 3 Apr 2026 06:51:35 +0700
Subject: [PATCH] fix(security)(utils): predictable global cache directory in
 /tmp enables

The cache directory is a fixed, shared path (`/tmp/ncc-cache`). On multi-user systems this can be pre-created or manipulated by another user (symlink/hardlink attacks), potentially causing cache poisoning, unintended file writes, or data leakage between builds/users depending on how cache files are later written.

Affected files: ncc-cache-dir.js

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 src/utils/ncc-cache-dir.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/utils/ncc-cache-dir.js b/src/utils/ncc-cache-dir.js
index bd4fb463..10c0328f 100644
--- a/src/utils/ncc-cache-dir.js
+++ b/src/utils/ncc-cache-dir.js
@@ -1 +1,8 @@
-module.exports = require("os").tmpdir() + "/ncc-cache";
\ No newline at end of file
+const crypto = require("crypto");
+const os = require("os");
+const path = require("path");
+
+const cacheBase = process.env.XDG_CACHE_HOME || path.join(os.homedir(), ".cache");
+const projectKey = crypto.createHash("sha256").update(process.cwd()).digest("hex").slice(0, 12);
+
+module.exports = path.join(cacheBase, "ncc", projectKey);
\ No newline at end of file