Security vulnerability in package tar

[michdsouza]

webpacker uses a vulnerable version of tar, see https://www.npmjs.com/advisories/803 for more details on the security issue.
tar >=4.4.2 is patched, but webpacker has yet to update its version of tar

Expected Behavior
Use the patched version of tar

Current Behavior
Uses a vulnerable version of tar

Possible Solution
Update tar

[JoshRobertson]

Webpacker doesn't have a direct dependency on tar. The package that does is node-gyp. This requires a release from that package.

Relevant Info here: nodejs/node-gyp#1717

[michdsouza]

I think this issue has been closed on node-gyp. Just awaiting a release from them.

[petebytes]

They have released v4 which fixes (i think 2) high vulnerabilities
https://github.com/nodejs/node-gyp/releases/tag/v4.0.0

[chrismanderson]

How does one actually update node-gyp? I try running yarn upgrade node-gyp and get a bajillion build errors and garbage output, and nothing actually updates. Do I need to add it as a separate dependency in my package.json file?

❯ yarn upgrade node-gyp
yarn upgrade v1.16.0
warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.
[1/4] 🔍  Resolving packages...
[2/4] 🚚  Fetching packages...
[3/4] 🔗  Linking dependencies...
warning "@rails/webpacker > postcss-cssnext@3.1.0" has unmet peer dependency "caniuse-lite@^1.0.30000697".
warning " > slick-carousel@1.8.1" has unmet peer dependency "jquery@>=1.8.0".
warning " > webpack-dev-server@2.11.1" has unmet peer dependency "webpack@^2.2.0 || ^3.0.0".
warning "webpack-dev-server > webpack-dev-middleware@1.12.2" has unmet peer dependency "webpack@^1.0.0 || ^2.0.0 || ^3.0.0".
[4/4] 🔨  Rebuilding all packages...
[-/3] ⠂ waiting...
[2/3] ⠂ fsevents
warning Error running install script for optional dependency: "/Users/chris/galley/store/node_modules/fsevents: Command failed.
Exit code: 1
Command: node install
Arguments:
Directory: /Users/chris/galley/store/node_modules/fsevents
Output:
node-pre-gyp info it worked if it ends with ok
node-pre-gyp info using node-pre-gyp@0.6.38
node-pre-gyp info using node@10.16.0 | darwin | x64
node-pre-gyp info check checked for \"/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node\" (not found)
node-pre-gyp http GET https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp http 404 https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Tried to download(404): https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Pre-built binaries not found for fsevents@1.1.2 and node@10.16.0 (node-v64 ABI) (falling back to source compile with node-gyp)
node-pre-gyp http 404 status code downloading tarball https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Tried to download(undefined): https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Pre-built binaries not found for fsevents@1.1.2 and node@10.16.0 (node-v64 ABI) (falling back to source compile with node-gyp)
node-pre-gyp http Connection closed while downloading tarball file
gyp info it worked if it ends with ok
gyp info using node-gyp@3.8.0
gyp info using node@10.16.0 | darwin | x64
gyp info it worked if it ends with ok
gyp info using node-gyp@3.8.0
gyp info using node@10.16.0 | darwin | x64
gypgyp  infoinfo  okok

gyp info it worked if it ends with ok
gyp info it worked if it ends with ok
gyp info using node-gyp@3.8.0
gyp info using node@10.16.0 | darwin | x64
gyp info using node-gyp@3.8.0
gyp info using node@10.16.0 | darwin | x64
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp info spawn /usr/bin/python
gyp info spawn args [ '/Users/chris/galley/store/node_modules/node-gyp/gyp/gyp_main.py',
gyp info spawn args   'binding.gyp',
gyp info spawn args   '-f',
gyp info spawn args   'make',
gyp info spawn args   '-I',
gyp info spawn args   '/Users/chris/galley/store/node_modules/fsevents/build/config.gypi',
gyp info spawn args   '-I',
gyp info spawn args   '/Users/chris/galley/store/node_modules/node-gyp/addon.gypi',
gyp info spawn args   '-I',
gyp info spawn args   '/Users/chris/.node-gyp/10.16.0/include/node/common.gypi',
gyp info spawn args   '-Dlibrary=shared_library',
gyp info spawn args   '-Dvisibility=default',
gyp info spawn args   '-Dnode_root_dir=/Users/chris/.node-gyp/10.16.0',
gyp info spawn args   '-Dnode_gyp_dir=/Users/chris/galley/store/node_modules/node-gyp',
gyp info spawn args   '-Dnode_lib_file=/Users/chris/.node-gyp/10.16.0/<(target_arch)/node.lib',
gyp info spawn args   '-Dmodule_root_dir=/Users/chris/galley/store/node_modules/fsevents',
gyp info spawn args   '-Dnode_engine=v8',
gyp info spawn args   '--depth=.',
gyp info spawn args   '--no-parallel',
gyp info spawn args   '--generator-output',
gyp info spawn args   'build',
gyp info spawn args   '-Goutput_dir=.' ]
gyp info spawn /usr/bin/python
gyp info spawn args [ '/Users/chris/galley/store/node_modules/node-gyp/gyp/gyp_main.py',
gyp info spawn args   'binding.gyp',
gyp info spawn args   '-f',
gyp info spawn args   'make',
gyp info spawn args   '-I',
gyp info spawn args   '/Users/chris/galley/store/node_modules/fsevents/build/config.gypi',
gyp info spawn args   '-I',
gyp info spawn args   '/Users/chris/galley/store/node_modules/node-gyp/addon.gypi',
gyp info spawn args   '-I',
gyp info spawn args   '/Users/chris/.node-gyp/10.16.0/include/node/common.gypi',
gyp info spawn args   '-Dlibrary=shared_library',
gyp info spawn args   '-Dvisibility=default',
gyp info spawn args   '-Dnode_root_dir=/Users/chris/.node-gyp/10.16.0',
gyp info spawn args   '-Dnode_gyp_dir=/Users/chris/galley/store/node_modules/node-gyp',
gyp info spawn args   '-Dnode_lib_file=/Users/chris/.node-gyp/10.16.0/<(target_arch)/node.lib',
gyp info spawn args   '-Dmodule_root_dir=/Users/chris/galley/store/node_modules/fsevents',
gyp info spawn args   '-Dnode_engine=v8',
gyp info spawn args   '--depth=.',
gyp info spawn args   '--no-parallel',
gyp info spawn args   '--generator-output',
gyp info spawn args   'build',
gyp info spawn args   '-Goutput_dir=.' ]
gyp info ok
gyp info ok
gypgyp info it worked if it ends with ok
 info it worked if it ends with ok
gyp info using node-gyp@3.8.0
gyp info using node@10.16.0 | darwin | x64
gyp info using node-gyp@3.8.0
gyp info using node@10.16.0 | darwin | x64
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp info spawn make
gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build' ]
gyp info spawn make
gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build' ]
  SOLINK_MODULE(target) Release/.node
  SOLINK_MODULE(target) Release/.node
  CXX(target) Release/obj.target/fse/fsevents.o
  CXX(target) Release/obj.target/fse/fsevents.o
In file included from ../fsevents.cc:6:
In file included from ../node_modules/nan/nan.h:192:
../node_modules/nan/nan_maybe_43_inl.h:112:15: error: no member named 'ForceSet' in 'v8::Object'
  return obj->ForceSet(isolate->GetCurrentContext(), key, value, attribs);
         ~~~  ^
In file included from ../fsevents.cc:6:
In file included from ../node_modules/nan/nan.h:192:
../node_modules/nan/nan_maybe_43_inl.h:112:15: error: no member named 'ForceSet' in 'v8::Object'
  return obj->ForceSet(isolate->GetCurrentContext(), key, value, attribs);
         ~~~  ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:834:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:849:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:169:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:834:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
In file included from ../fsevents.cc:6/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20::
../node_modules/nan/nan.h :864note:: 18expanded from macro 'NODE_DEPRECATED': warning:
'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    __attribute__((deprecated(message))) declarator
                   ^
    return node::MakeCallback(
                 ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:162:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:849:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:169:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:864:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return node::MakeCallback(
                 ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:162:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:1473:31: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return scope.Escape(node::MakeCallback(
                              ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:1473:31: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
    return scope.Escape(node::MakeCallback(
                              ^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
    __attribute__((deprecated(message))) declarator
                   ^
4 warnings and 1 error generated.
4 warnings and 1 error generated.
make: *** [Release/obj.target/fse/fsevents.o] Error 1
make: *** [Release/obj.target/fse/fsevents.o] Error 1
gypgyp  ERR!ERR!  build errorbuild error

gyp ERR! stack Error: `make` failed with exit code: 2
gypgyp  ERR! ERR!stack     at ChildProcess.onExit (/Users/chris/galley/store/node_modules/node-gyp/lib/build.js:262:23)
gyp  stackERR! Error: `make` failed with exit code: 2
 stackgyp     at ChildProcess.emit (events.js:198:13)
 gypERR!  ERR!stack      at ChildProcess.onExit (/Users/chris/galley/store/node_modules/node-gyp/lib/build.js:262:23)
stackgyp     at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)
 ERR! stack     at ChildProcess.emit (events.js:198:13)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)
gyp ERR!gyp  ERR!System  Darwin 18.6.0
System Darwin 18.6.0
gypgyp ERR!  commandERR! command \"/Users/chris/.nvm/versions/node/v10.16.0/bin/node\" \"/Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js\" \"build\" \"--fallback-to-build\" \"--module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node\" \"--module_name=fse\" \"--module_path=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64\"
 \"/Users/chris/.nvm/versions/node/v10.16.0/bin/node\" \"/Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js\" \"build\" \"--fallback-to-build\" \"--module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node\" \"--module_name=fse\" \"--module_path=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64\"
gyp ERR! gypcwd  /Users/chris/galley/store/node_modules/fsevents
ERR! gypcwd  /Users/chris/galley/store/node_modules/fsevents
ERR! gypnode -v  v10.16.0
ERR! gypnode -v  v10.16.0
ERR! gypnode-gyp -v  v3.8.0
ERR!gyp  node-gyp -vERR! v3.8.0
 not okgyp
 ERR! not ok
node-pre-gyp ERR! build error
node-pre-gyp ERR! stack Error: Failed to execute '/Users/chris/.nvm/versions/node/v10.16.0/bin/node /Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js build --fallback-to-build --module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node --module_name=fse --module_path=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64' (1)
node-pre-gyp ERR! stack     at ChildProcess.<anonymous> (/Users/chris/galley/store/node_modules/node-pre-gyp/lib/util/compile.js:83:29)
node-pre-gyp ERR! stack     at ChildProcess.emit (events.js:198:13)
node-pre-gyp ERR! stack     at maybeClose (internal/child_process.js:982:16)
node-pre-gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
node-pre-gyp ERR! System Darwin 18.6.0
node-pre-gyp ERR! command \"/Users/chris/.nvm/versions/node/v10.16.0/bin/node\" \"/Users/chris/galley/store/node_modules/fsevents/node_modules/.bin/node-pre-gyp\" \"install\" \"--fallback-to-build\"
node-pre-gyp ERR! cwd /Users/chris/galley/store/node_modules/fsevents
node-pre-gyp ERR! node -v v10.16.0
node-pre-gyp ERR! node-pre-gyp -v v0.6.38
node-pre-gyp ERR! not ok
Failed to execute '/Users/chris/.nvm/versions/node/v10.16.0/bin/node /Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js build --fallback-to-build --module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node --module_name=fse success Saved lockfile.
success Saved 0 new dependencies.
✨  Done in 7.84s.

[jakeNiemiec]

@chrismanderson, my understanding is node-gyp is the bridge between the JS & C++ parts of nodejs. You wouldn't need to install it for a webpacker project. I would only update it by updating your node version using nvm.

But, if you really want to do this, here is a guide on updating the bundled node gyp: https://github.com/nodejs/node-gyp/wiki/Updating-npm's-bundled-node-gyp. If you are on Linux/Mac OS X, the incantations are: npm explore npm -g -- npm install node-gyp@latest

Fair warning: updating library internals without waiting for a release can lead to breakage, good luck.

Npm has fixed: https://github.com/npm/cli/blob/latest/package-lock.json#L6239
Webpack has fixed: https://github.com/webpack/webpack/blob/master/yarn.lock#L6568
Yarn is on the previous version: https://github.com/yarnpkg/yarn/blob/master/yarn.lock#L7161

I am going to close this since there is nothing webpacker can do except wait for yarn to update, feel free to re-open if the situation changes. Plus, you're not going to be extracting tarballs with @rails/webpacker (at least, I hope not). Thanks for reporting!

[chrismanderson]

"I" don't need to install it - but looks like webpacker does have a dependency. Just set up a new Rails 6rc1 app with Webpacker 4 - node-gyp gets pulled in by node-sass which is pulled in by @rails/webpacker. So following the instructions you provided - is that updating the node-gyp that is part of node itself? Or the depedency pulled in by webpacker -> node-sass.

(Freely admit that my knowledge of node packages is pretty limited, and boils down to doing what the webpacker readme tells me to do 😄 , but just never like seeing Github security warnings go undeeded.)

[jakeNiemiec]

Ok, rewind. @rails/webpacker depends on 👉 node-sass & yarn which depend on 👉 node-gyp which depends on 👉 node-tar. node-tar was the vulnerable package.

You can try this for yourself with yarn list --pattern tar (or bin/yarn list --pattern tar). It will give you something like:

node-gyp gets pulled in by node-sass which is pulled in by @rails/webpacker

node-sass relies on pre-compiled C++ binaries from libsass https://github.com/sass/libsass. In this case, I doubt that node-gyp uses node-tar for this. Read more about the Google gyp project: https://gyp.gsrc.io/

is that updating the node-gyp that is part of node itself? Or the depedency pulled in by webpacker -> node-sass.

It can be both. Think of your package.json as a carpenters workshop full of interdependent tools (like how you would need a hammer if you want to use a chissel). 2 carpenters tools (webpacker & node-sass) require access to a multi-purpose hammer (node-gyp) that has any kind of head (node-tar).

This is why I linked the lock files, it specifies what version each is using. In our case, yarn is the problem because it is using an older version. I could not find any issues concerned with tar.

You very well could ninja-swap the dependencies to be updated, but I would advise against it. The fix was released 14 days ago, I would wait at least 2 more weeks.

[chrismanderson]

That was a super helpful explanation - thank you! Will definitely avoid ninja swapping and just wait.