Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
npm audit vulnerability in tar
See original GitHub issuenpm install results in audit errors:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ lerna > @lerna/add > @lerna/bootstrap > @lerna/run-lifecycle │
│ │ > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
this seems to emanate here: https://github.com/npm/npm-lifecycle/issues/28
Expected Behavior
Current Behavior
Possible Solution
Steps to Reproduce (for bugs)
- npm install
lerna.json
<!-- Please paste your `lerna.json` here -->
lerna-debug.log
<!-- If you have a `lerna-debug.log` available, please paste it here -->
<!-- Otherwise, feel free to delete this <details> block -->
Context
Your Environment
| Executable | Version |
|---|---|
lerna --version |
3.13.2 |
npm --version |
6.4.1 |
yarn --version |
n/a |
node --version |
v10.15.3 |
| OS | Version |
|---|---|
| NAME | VERSION |
Issue Analytics
- State:
- Created 4 years ago
- Reactions:20
- Comments:6 (5 by maintainers)
Top Results From Across the Web
How to fix NPM package Tar, with high vulnerability about ...
Please update the value for "tar" in your "package-lock.json" file. And to verify, run " [npm audit][1] ". "tar": { "version": "4.4.8", ...
Read more >GitHub security update: Vulnerabilities in tar and @npmcli ...
The first tar issue that affected the npm CLI, CVE-2021-32804, revolves around absolute path extractions from tar archives. This vulnerability ...
Read more >Auditing package dependencies for security vulnerabilities
A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package's users by enabling ...
Read more >How to Fix Your Security Vulnerabilities with NPM Overrides
Then those dreadful messages appear, gazillion vulnerabilities, a zillion of them high. You run npm “audit fix”,and it fixes some of the dependencies....
Read more >How to audit Node.js modules - Mattermost
Last year, GitHub found many vulnerabilities in the tar and @npmcli/arborist packages. The main vulnerability found in the tar package was ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
npm i -D lerna@latestThere’s been no activity from the npm team on npm/npm-lifecycle#34 in almost a week. @zkochan mentioned that he put together a fork of npm-lifecycle that has this fix. Is the lerna team planning to wait on npm/npm-lifecycle#34 or use https://github.com/zkochan/lifecycle in the near future?