7
   === npm audit security report ===                        

┌───────────────────────────────────────────────────────────────────┐
│                                Manual Review                      │
│      Some vulnerabilities require your attention to resolve       │
│                                                                   │
│  Visit https://go.npm.me/audit-guide for additional guidance      │
└───────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                          │
├───────────────┼───────────────────────────────────────────────────┤
│ Package       │ tar                                               │
├───────────────┼───────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                           │
├───────────────┼───────────────────────────────────────────────────┤
│ Dependency of │ gulp-sass                                         │
├───────────────┼───────────────────────────────────────────────────┤
│ Path          │ gulp-sass > node-sass > node-gyp > tar            │
├───────────────┼───────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803            │
└───────────────┴───────────────────────────────────────────────────┘
found 1 high severity vulnerability in 7659 scanned packages
  1 vulnerability requires manual review. See the full report for details.
Cheeso
  • 189,189
  • 101
  • 473
  • 713
inhyechoi
  • 107
  • 1
  • 2
  • 11
  • Also getting it in Angular Cli: https://github.com/angular/angular-cli/issues/14221 – mwilson Apr 19 '19 at 17:26
  • As noted by @alagaesia (Deleted answer) *This issue is currently open https://github.com/sass/node-sass/issues/2625*. As noted by Prateek Kumar Dalbehera: *See this link https://stackoverflow.com/questions/55638180/how-to-fix-npm-package-tar-with-high-vulnerability-about-arbitrary-file-overwri#answer-55766169* – Roko C. Buljan Jun 18 '19 at 13:01

2 Answers2

1

My suggestion would be to attempt to upgrade, but they do look to be dependant on 3rd party packages.

For the regexDOS, if the right input goes in, it could grind things down to a stop. Unlike the second vulnerability. You should stride to upgrade this one first or remove it completely if you can't.

But js-yaml might keep some connections lingering for longer than it should, if in the unlikely case that you can't upgrade, there are packages out there that you could use to monitor and close off remaining http connections and cheaply hold-off a small dos attack. Fail2ban * Splunk for monitoring spring to mind for linux :)

David Silveiro
  • 1,515
  • 1
  • 15
  • 23
  • 1
    "resolutions": { "braces": "^2.3.2", } I tried adding this code to package.json and it's not working – inhyechoi Apr 11 '19 at 18:13
  • what would be the command in terminal to update braces to higher version? – inhyechoi Apr 11 '19 at 18:15
  • thank you David, I get + braces@2.3.2 after updating, but when I tried to run npm audit fix or npm audit again, braces issue is still remaining – inhyechoi Apr 11 '19 at 18:37
  • says Patched in │ >=2.3.1 – inhyechoi Apr 11 '19 at 18:37
  • Unfortunately those are dependancies someone has added to there project, there isn't much that you can do in that case apart from reporting it directly to the developers, notice `Dependency of │ browser-sync [dev] `. If you feel like my answer was helpful, when you have a moment, feel free to mark it :) – David Silveiro Apr 11 '19 at 18:55
  • what i tried after reading your comment was i just deleted all dependencies. the only problem after that is that i'm getting just 1 vulnerability now where it saids that there's "Arbitrary file overwrite" in tar. do you have any idea? – inhyechoi Apr 11 '19 at 19:41
  • Could you update your original post with the new vulnerabilities details? :) – David Silveiro Apr 11 '19 at 20:37
  • I just updated below the original vulnerability msg. i tried removed node_module and reinstall, but still getting the same result for this new error – inhyechoi Apr 11 '19 at 20:42
  • 2
    Hi David, I think I fixed the issue. I noticed that I was missing gitignore file in my theme and I tried adding it adding the ignore package line themes/themename/node_modules/ , and ran gulp again it worked. Thank you! – inhyechoi Apr 11 '19 at 21:12
  • 1
    This answer is not clear. What does braces has to do with anything? – Gabe Hiemstra Apr 16 '19 at 08:42
0

A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package’s users by enabling you to find and fix known vulnerabilities in dependencies that could cause data loss, service outages, unauthorized access to sensitive information, or other issues.

npm install npm@latest -g

that worked for me

shazil rehman
  • 1