Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. ItΒ collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Fix vulnerability in tar < 4.2.2

See original GitHub issue

npm audit reports a bad vulnerability in tar < 4.2.2. It has been reported since April 5th.

Etherpad-lite isn’t using tar directly though. The dependency chain is npm > npm-lifecycle > node-gyp > tar.

So we need to wait for the chain to publish new versions with the dependencies fixed:

(This issue is just for tracking the progress of updates in the dependencies chain.)

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
muxatorcommented, Aug 8, 2019

An updated version of npm (6.10.3) and npm-lifecycle fixes the vulnerabilities. We can close this.

1reaction
muxatorcommented, Jun 23, 2019

Wow. Thanks @gobengo, nice sum up.

I did a quick check (install only) using npm-force-resolutions, and npm audit actually stopped listing the vulnerabilities on tar.

But this is so ugly I am still doubtful:

  • we cannot know if this is functionally correct

  • npm-force-resolutions basically performs a tool-assisted surgery on package-lock.json, and Etherpad does not come with one. The reason is not laziness, but the β€œpeculiar” directory structure, startup & installation mode of Etherpad, which makes things hairy

  • going this way has potentially no end. There is already another high profile vulnerability remaining on npm:

    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚ High          β”‚ Arbitrary File Overwrite                                     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Package       β”‚ fstream                                                      β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Patched in    β”‚ >=1.0.12                                                     β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Dependency of β”‚ npm                                                          β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ Path          β”‚ npm > libcipm > npm-lifecycle > node-gyp > fstream           β”‚
β”œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€
β”‚ More info     β”‚ https://nodesecurity.io/advisories/886                       β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

    This one was reported on 2019-05-19: https://www.npmjs.com/advisories/886.

    What to do here? We could continue forcing resolutions, but at that point we would basically end up doing npm’s work, and I am not really sure this would be healty for the project πŸ˜•

At least, thanks to your analysis, we now know that we are at the mercy of the npm team, and this is insane.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to fix NPM package Tar, with high vulnerability about ...
Please update the value for "tar" in your "package-lock.json" file. And to verify, run " [npm audit][1] ". "tar": { "version": "4.4.8",Β ...
Read more >
tar vulnerabilities | Snyk
version published direct vulnerabilities 6.1.13 7 Dec, 2022 0. C. 0. H. 0. M. 0. L 6.1.12 1 Nov, 2022 0. C. 0. H. 0....
Read more >
4.2.2 Fix Pack 10 (August 2015) for Tivoli Storage Productivity ...
This fix pack has APAR and defect fixes for IBM Tivoli Storage Productivity Center version 4.2.2.
Read more >
NEWS for R version 4.2.2 Patched (2022-12-14 r83470)
This fixes a regression in R 4.2.1 caused by a fix in PR#18382 which ... tar(., files=*) now produces correctly the warning about...
Read more >
Log4j vulnerabilities: CVE-2021-44228 ... - Lucidworks Support
This vulnerability is considered a β€œzero-day” because it was publicized before the Log4j community could determine mitigation and a fix.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Error executing command, exiting

Next page

Persisting plugins on the docker host