Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
NPM Audit issue - Arbitrary File Overwrite
See original GitHub issue- Node Version: node@v10.7.0 && npm@6.4.1
- Platform: OSX
NPM Audit issue: Version 3.8.0 of node-gyp relies on tar < 4.4.2 which comes with a high Vulnerability (https://www.npmjs.com/advisories/803)
I can see that you have updated this dependency within your master branch, but version 4.0.0 is not yet released.
Can you let me know if and when this fix will be available?
Thanks
Issue Analytics
- State:
- Created 4 years ago
- Reactions:89
- Comments:38 (9 by maintainers)
Top Results From Across the Web
npm audit Arbitrary File Overwrite - node.js - Stack Overflow
The following worked for me: Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Read more >Npm audit fix: 1 high severity vulnerability: Arbitrary File Overwrite ...
Npm audit fix: 1 high severity vulnerability: Arbitrary File Overwrite ... This looks like a permissions issue in your home directory.
Read more >Arbitrary File Overwrite in npm | CVE-2019-16777 | Snyk
It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was ...
Read more >arbitrary file overwrite vulnerability npm, potential security ...
When the audit command is executed, it reports several warnings about lodash referenced by node-sass package. The issue is mainly about node-sass using...
Read more >How to Fix Your Security Vulnerabilities with NPM Overrides
You run npm “audit fix”,and it fixes some of the dependencies. ... and it is not recommended to be used to override package-lock.json...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
It’s a shame that this is known since april 4th and there is still no release. Furthermore, it should be fixed a year ago when the issue was found in node-tar April 30th 2018.
You guys with your infinite number of dependencies should try a rolling release, as soon as one dependency is updatable you should upgrade and don’t stick with node v4 which hasn’t been updated since march 2018 so security updates or whatsoever.
In my opinion merge #1670 and #1718 and release this piece of … and don’t waste time in discussions if there should be a major or minor version bump, as it breaks compatibility with node 4 there must be a major release bump.
see semver.org
This is how I fixed this in my project, please let me know if there is a better way:
npm install -D node-gypnpm install -D tar@">4.4.7"Edit package-lock.json and replace:
"tar": { "version": "2.2.1", "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz", "integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=", "dev": true, "requires": { "block-stream": "*", "fstream": "^1.0.2", "inherits": "2" } }with:
"tar": { "version": "4.4.8", "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz", "integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==", "dev": true, "requires": { "chownr": "^1.1.1", "fs-minipass": "^1.2.5", "minipass": "^2.3.4", "minizlib": "^1.1.1", "mkdirp": "^0.5.0", "safe-buffer": "^5.1.2", "yallist": "^3.0.2" } }