Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date?

Tags:

npm-install

tar

node-sass

npm-audit

flickity

I just installed Flickity from NPM and got an NPM Audit Security Report after running npm audit stating that I have a high vulnerability issue regarding Arbitrary File Overwrite on package tar which is a dependency of node-sass as you can see here:

High......................... Arbitrary File Overwrite                                      Package...................... tar                                                           Patched in................... >=4.4.2                                                       Dependency of................ node-sass [dev]                                               Path......................... node-sass > node-gyp > tar                                    More info.................... https://npmjs.com/advisories/803

Running npm audit fix didn't solve the problem as the vulnerability requires manual review. The recommendation at the more info link says to upgrade to version 4.4.2 or later. When I ran npm show tar version I realized I'm running version 4.4.8 so that confused me. I went to package-lock.json and realized node-gyp, which is a dependency of node-sass, is using tar version ^2.0.0

This is confusing me since I've seen many different tar versions as a dependency of other packages but this node-sass > node-gyp > tar version is the only one bellow v4.4.2. Why does it work like that, why do I have to manually fix it and how can I manualy fix/upgrade this one tar package?

like image 722
Wilbert Caba Avatar asked Apr 11 '19 17:04

Wilbert Caba

People also ask

How do I manually fix npm vulnerabilities?

Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues. If you have a vulnerability that requires manual review, you will have to raise a request to the maintainers of the dependent package to get an update.

Why does npm install have so many vulnerabilities?

It's probably because package management for even a medium-sized project is a constant battle, as new vulnerabilities are being discovered every day. What if you run npm audit fix ? Does that help you? because decencies are old and they are way behind than stable/latest version of that package.

What is an npm vulnerability?

A vulnerability has been discovered in the NPM package ua-parser-js that could allow for remote code execution upon installation of the affected versions. NPM is the default package manager for the Javascript runtime environment Node.

1 Answers

The issue is being tracked on the gitgub page

https://github.com/sass/node-sass/issues/2625

like image 124
vordimous Avatar answered Oct 14 '22 19:10

vordimous
Sign in to Comment

Related questions

node: relocation error: node: symbol SSL_set_cert_cb, version libssl.so.10 not defined in file libssl.so.10 with link time reference
Npm ERR! code EPERM
Webpack command not found
NPM ERR Code E401: Unable to authenticate, need: Bearer authorization
'cross-env' is not recognized as an internal or external command,
Difference between 'npm add' and 'npm install --save'?
npm install: when to use --no-bin-links?
Module not found: Error: Can't resolve '@angular/animations'
Making Global NPM packages available to all users on windows 2012 server
cannot read property 'apply' of undefined gulp
npm install: Failed at the [email protected] postinstall script
Missing peer dependencies
Golang equivalent of npm install -g
How to specify registry while doing npm install with git remote url?
Error : getaddrinfo ENOTFOUND registry.npmjs.org registry.npmjs.org:443
How to have npm install a typescript dependency from a GitHub url?
How to install NPM package under alias or different name
npm install with error: `gyp` failed with exit code: 1
Command to use restoring npm packages
NPM: ENOENT: no such file or directory, rename

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!