stackoom
  简体   繁体   中英

npm audit Arbitrary File Overwrite

 原文  2019-04-11 14:48:07       node.js/ npm/ sass/ tar/ node-gyp

Question

I recently updated my version of angular using ng update and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version. 

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           


High            Arbitrary File Overwrite                                      

Package         tar                                                           

Patched in      >=4.4.2                                                       

Dependency of   @angular-devkit/build-angular [dev]                           

Path            @angular-devkit/build-angular > node-sass > node-gyp > tar    

More info       https://npmjs.com/advisories/803                              

found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.

I thought of installing npm i tar but I am not sure.

3 answers

solution1
 6  2019-04-11 16:54:10

angular-cli relies on node-gyp , who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714

To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.

solution2
 5 ACCPTED  2019-04-24 08:57:09

The following worked for me:

Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.

Then run:

  1. npm i
  2. npm audit
  3. npm audit fix
  4. npm audit

you should see 0 vulnerabilities.

I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.

solution3
 0  2019-04-12 10:25:18

You should search in your package-lock.json this: 

"tar": {
  "version": "2.2.1",
  "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",

And reemplace for that: 

"tar": {
  "version": "4.4.8",
  "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",

That worked for me

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Generate NPM Audit into a Json file npm audit versus yarn audit npm audit EINVALIDTAGNAME How to leverage npm audit? NPM audit warnings NPM Audit fixes NPM audit vulnerabilities npm audit fix not changing anything npm audit gets stuck on ENOAUDIT How to resolve NPM audit vulnerabilities?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM