13

I recently updated my version of angular using ng update and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           


High            Arbitrary File Overwrite                                      

Package         tar                                                           

Patched in      >=4.4.2                                                       

Dependency of   @angular-devkit/build-angular [dev]                           

Path            @angular-devkit/build-angular > node-sass > node-gyp > tar    

More info       https://npmjs.com/advisories/803                              

found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.

I thought of installing npm i tar but I am not sure.

mruanova
  • 6,351
  • 6
  • 37
  • 55

3 Answers3

7

The following worked for me:

Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.

Then run:

  1. npm i
  2. npm audit
  3. npm audit fix
  4. npm audit

you should see 0 vulnerabilities.

I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.

Spiderman
  • 330
  • 1
  • 8
  • 3
    This is bad. Changing local node_modules is always a poor solution, as your changes wont be reflected on fresh installations. – Jota.Toledo May 05 '19 at 12:19
  • Your understanding is wrong. For a detailed approach see https://stackoverflow.com/questions/51377148/how-to-fix-npm-vulnerabilities-manually – Jota.Toledo May 07 '19 at 07:32
  • Fresh installations: cloning your project (assuming that its a git repo) and running `npm install` or deleting your complete `node_modules` folder and running ``npm install`. In both cases your local changes to your node modules wont be reflected. – Jota.Toledo May 07 '19 at 07:33
6

angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714

To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.

masterfloda
  • 2,908
  • 1
  • 16
  • 27
-1

You should search in your package-lock.json this:

"tar": {
  "version": "2.2.1",
  "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",

And reemplace for that:

"tar": {
  "version": "4.4.8",
  "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",

That worked for me

Nacho
  • 39
  • 1
  • 1
  • 6
  • 2
    https://github.com/angular/angular-cli/issues/14138#issuecomment-482526439 – gloomy.penguin Apr 13 '19 at 00:20
  • 1
    If you read the comments in the link above provided by gloomy.penguin it says: "Do NOT manually edit the lock file.Wait till sass is updated and give the angular chaps time, it's Friday (2019-04-12 for us anyway) We aren't releasing this weekend.The Angular guys are extremely quick at resolving issues, patience is key." – mruanova Apr 15 '19 at 19:43