npm audit vulnerability in tar
See original GitHub issuenpm install results in audit errors:
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ lerna > @lerna/add > @lerna/bootstrap > @lerna/run-lifecycle │
│ │ > npm-lifecycle > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
this seems to emanate here: https://github.com/npm/npm-lifecycle/issues/28
Expected Behavior
Current Behavior
Possible Solution
Steps to Reproduce (for bugs)
- npm install
lerna.json
<!-- Please paste your `lerna.json` here -->
lerna-debug.log
<!-- If you have a `lerna-debug.log` available, please paste it here -->
<!-- Otherwise, feel free to delete this <details> block -->
Context
Your Environment
Executable | Version |
---|---|
lerna --version |
3.13.2 |
npm --version |
6.4.1 |
yarn --version |
n/a |
node --version |
v10.15.3 |
OS | Version |
---|---|
NAME | VERSION |
Issue Analytics
- State:
- Created 4 years ago
- Reactions:20
- Comments:6 (5 by maintainers)
Top Results From Across the Web
How to fix NPM package Tar, with high vulnerability about ...
Please update the value for "tar" in your "package-lock.json" file. And to verify, run " [npm audit][1] ". "tar": { "version": "4.4.8", ...
Read more >GitHub security update: Vulnerabilities in tar and @npmcli ...
The first tar issue that affected the npm CLI, CVE-2021-32804, revolves around absolute path extractions from tar archives. This vulnerability ...
Read more >Auditing package dependencies for security vulnerabilities
A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package's users by enabling ...
Read more >How to Fix Your Security Vulnerabilities with NPM Overrides
Then those dreadful messages appear, gazillion vulnerabilities, a zillion of them high. You run npm “audit fix”,and it fixes some of the dependencies....
Read more >How to audit Node.js modules - Mattermost
Last year, GitHub found many vulnerabilities in the tar and @npmcli/arborist packages. The main vulnerability found in the tar package was ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
npm i -D lerna@latest
There’s been no activity from the npm team on npm/npm-lifecycle#34 in almost a week. @zkochan mentioned that he put together a fork of npm-lifecycle that has this fix. Is the lerna team planning to wait on npm/npm-lifecycle#34 or use https://github.com/zkochan/lifecycle in the near future?