NPM Audit issue - Arbitrary File Overwrite

[ma-jahn]

• Node Version: node@v10.7.0 && npm@6.4.1
• Platform: OSX

Details

NPM Audit issue:
Version 3.8.0 of node-gyp relies on tar < 4.4.2 which comes with a high Vulnerability (https://www.npmjs.com/advisories/803)

I can see that you have updated this dependency within your master branch, but version 4.0.0 is not yet released.

Can you let me know if and when this fix will be available?

Thanks

[antoniopaisfernandes]

#1713

[cberg-zalando]

Following the comment stream in #1713 does not clearly say whether the fix will be backported into the v3.x branch. @richardlau just mentioned that the update of tar from version 2.* to 3.* was considered a breaking change at that time so it was only applied to master.

[romanstingler]

It's a shame that this is known since april 4th and there is still no release.
Furthermore, it should be fixed a year ago when the issue was found in node-tar April 30th 2018.

You guys with your infinite number of dependencies should try a rolling release, as soon as one dependency is updatable you should upgrade and don't stick with node v4 which hasn't been updated since march 2018 so security updates or whatsoever.

In my opinion merge #1670 and #1718 and release this piece of ..
and don't waste time in discussions if there should be a major or minor version bump, as it breaks compatibility with node 4 there must be a major release bump.

see semver.org

[flyke]

This is how I fixed this in my project, please let me know if there is a better way:
npm install -D node-gyp
npm install -D tar@">4.4.7"

Edit package-lock.json and replace:
"tar": { "version": "2.2.1", "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz", "integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=", "dev": true, "requires": { "block-stream": "*", "fstream": "^1.0.2", "inherits": "2" } }

with:

"tar": { "version": "4.4.8", "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz", "integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==", "dev": true, "requires": { "chownr": "^1.1.1", "fs-minipass": "^1.2.5", "minipass": "^2.3.4", "minizlib": "^1.1.1", "mkdirp": "^0.5.0", "safe-buffer": "^5.1.2", "yallist": "^3.0.2" } }

[ma-jahn]

@flyke Have a look at: #1713
Updating tar comes with a breaking change, therefor manually overwriting the tar version in your package-lock.json will most likely break node-gyp and should therefore imho not be recommended solution.

[flyke]

@ma-jahn I am very open to any suggestion that fixes major security flaws like this. So if you have any 'good way' to fix this, please share, I would be very grateful.

[ma-jahn]

A fix is currently in progress: 1456ef2

[I-keep-trying]

A fix is currently in progress: 1456ef2

Is there any reason a person couldn't, in the meantime, when installing node-sass, change package.json to include node-gyp 4.0.0, which already includes the updated tar version?

Edit: To clarify, I'm not suggesting editing the package-lock directly. Just do

npm install -D node-sass

Then, edit the node-sass package.json to correct the node-gyp version, and then just do

npm install

?

[JoshRobertson]

1456ef2

That fix is for 4.0.0 which hasn't been released to NPM yet.

This is the PR to release a 3.x update :
#1718

This is the ticket regarding 4.0.0 not published to npm:
#1721

[I-keep-trying]

So, nobody knows what we are supposed to do in the meantime? Just don't use node-sass? I'm not trying to be hyperbolic, I honestly don't know how serious this is.

[sidhujaspreet]

Just switched to node-sass for current project and ran into the same issue. Seems like it's been there since few days now, please pick this one up on priority.
Would be good to have rolling release as suggested by @romanstingler .