Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

npm audit fix: 1 high severity vulnerability: Arbitrary File Overwrite

   === npm audit security report ===                        

┌───────────────────────────────────────────────────────────────────┐
│                                Manual Review                      │
│      Some vulnerabilities require your attention to resolve       │
│                                                                   │
│  Visit https://go.npm.me/audit-guide for additional guidance      │
└───────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                          │
├───────────────┼───────────────────────────────────────────────────┤
│ Package       │ tar                                               │
├───────────────┼───────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                           │
├───────────────┼───────────────────────────────────────────────────┤
│ Dependency of │ gulp-sass                                         │
├───────────────┼───────────────────────────────────────────────────┤
│ Path          │ gulp-sass > node-sass > node-gyp > tar            │
├───────────────┼───────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803            │
└───────────────┴───────────────────────────────────────────────────┘
found 1 high severity vulnerability in 7659 scanned packages
  1 vulnerability requires manual review. See the full report for details.
like image 261
inhyechoi Avatar asked Apr 11 '19 17:04

inhyechoi


People also ask

How do I manually fix npm vulnerabilities?

Try running npm update command. It will update all the package minor versions to the latest and may fix potential security issues. If you have a vulnerability that requires manual review, you will have to raise a request to the maintainers of the dependent package to get an update.

What will npm audit fix do?

Audit Signatures To ensure the integrity of packages you download from the public npm registry, or any registry that supports signatures, you can verify the registry signatures of downloaded packages using the npm CLI.

Can I ignore npm audit?

You can get npm audit to ignore issues of a certain severity (but only for its exit code) by setting the audit-level option. You can tell npm audit fix to only fix production dependencies with npm audit fix --only=prod .


1 Answers

My suggestion would be to attempt to upgrade, but they do look to be dependant on 3rd party packages.

For the regexDOS, if the right input goes in, it could grind things down to a stop. Unlike the second vulnerability. You should stride to upgrade this one first or remove it completely if you can't.

But js-yaml might keep some connections lingering for longer than it should, if in the unlikely case that you can't upgrade, there are packages out there that you could use to monitor and close off remaining http connections and cheaply hold-off a small dos attack. Fail2ban * Splunk for monitoring spring to mind for linux :)

like image 111
David S Avatar answered Nov 15 '22 11:11

David S