-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPM Audit issue - Arbitrary File Overwrite #1717
Comments
Following the comment stream in #1713 does not clearly say whether the fix will be backported into the v3.x branch. @richardlau just mentioned that the update of tar from version |
It's a shame that this is known since april 4th and there is still no release. You guys with your infinite number of dependencies should try a rolling release, as soon as one dependency is updatable you should upgrade and don't stick with node v4 which hasn't been updated since march 2018 so security updates or whatsoever. In my opinion merge #1670 and #1718 and release this piece of .. see semver.org |
This is how I fixed this in my project, please let me know if there is a better way: Edit package-lock.json and replace: with:
|
@ma-jahn I am very open to any suggestion that fixes major security flaws like this. So if you have any 'good way' to fix this, please share, I would be very grateful. |
A fix is currently in progress: 1456ef2 |
Is there any reason a person couldn't, in the meantime, when installing node-sass, change package.json to include node-gyp 4.0.0, which already includes the updated tar version? Edit: To clarify, I'm not suggesting editing the package-lock directly. Just do
Then, edit the node-sass package.json to correct the node-gyp version, and then just do
? |
So, nobody knows what we are supposed to do in the meantime? Just don't use node-sass? I'm not trying to be hyperbolic, I honestly don't know how serious this is. |
Just switched to node-sass for current project and ran into the same issue. Seems like it's been there since few days now, please pick this one up on priority. |
PR-URL: #1713 Reviewed-By: Refael Ackermann <refack@gmail.com>
This comment has been minimized.
This comment has been minimized.
Anyone know when this will be? |
Looks like a fix was merged 10 days ago, but there's still no release. What's the holdup? |
Temporary Solution for users using Yarn: (use at your own risk) This is just a temporary solution for users using Yarn until the fix gets published to npmjs.
Once the fix has been published, simply remove both the For |
npm install npm@latest -g that worked for me |
@shazilrehman What should be the correct npm version to be use? I am at 6.9.0 and still experiencing the problem. :D |
Do we have the fix ready for this, "npm audit fix" or explicit "npm install tar" is not helping in this case. |
@uniibu To clarify the risk, this will break older versions of node. Besides that this is basically what the current fix we're waiting on does. I don't think you need the |
@jhnferraris may god be with you then. |
A kind reminder that Node.js has interaction standards and maintainer abuse will not be tolerated. Comments that are not constructive will be deleted (criticism of technical issues and discussion is welcome). If you are unsure how to interact we have a code of conduct here. If you have any questions about our policy or would like to report anything feel free to reach out at report@nodejs.org or moderation@nodejs.org |
Updating if (vsSetup) {
// GYP doesn't (yet) have support for VS2017, so we force it to VS2015
// to avoid pulling a floating patch that has not landed upstream.
// Ref: https://chromium-review.googlesource.com/#/c/433540/
gyp.opts.msvs_version = '2015'
process.env['GYP_MSVS_VERSION'] = 2015
process.env['GYP_MSVS_OVERRIDE_PATH'] = vsSetup.path
defaults['msbuild_toolset'] = 'v142'
defaults['msvs_windows_target_platform_version'] = vsSetup.sdk
variables['msbuild_path'] = path.join(vsSetup.path, 'MSBuild', 'Current', 'Bin', 'MSBuild.exe')
} This may just be coincidental because I would think those changes would be irrelevant to Here is my NPM Audit Report: https://gist.github.com/JamieCorkhill/90f92c4f50d7e59e42c03a90d11ad93c Any help would be much appreciated. Thanks. |
Any update on this fix, I saw some where the ETA was 10th May, so thought check again on new ETA ??? |
As your report shows,
That is not a problem of node-gyp and isn't something that is trivially fixable on node-gyp side. @subhashkonda No, there is nothing else to be done here.
|
Thank you. So, to confirm, |
@JamieCorkhill Yes, you can confirm that it does not happen with |
@ChALkeR Thanks. So are |
@JamieCorkhill There are four separate dep chains in It is understandable why unrolling those deps chains is not fast, if they want to be on the safe side and test everything. That said, I personally would have appreciated slightly more feedback in the tar@2 backport issue/pr :-). |
I think this is finally fixed with everyone with |
NPM Audit issue:
Version 3.8.0 of node-gyp relies on tar < 4.4.2 which comes with a high Vulnerability (https://www.npmjs.com/advisories/803)
I can see that you have updated this dependency within your master branch, but version 4.0.0 is not yet released.
Can you let me know if and when this fix will be available?
Thanks
The text was updated successfully, but these errors were encountered: