How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date?

Question

I just installed Flickity from NPM and got an NPM Audit Security Report after running npm audit stating that I have a high vulnerability issue regarding Arbitrary File Overwrite on package tar which is a dependency of node-sass as you can see here:

High......................... Arbitrary File Overwrite                                     
Package...................... tar                                                          
Patched in................... >=4.4.2                                                      
Dependency of................ node-sass [dev]                                              
Path......................... node-sass > node-gyp > tar                                   
More info.................... https://npmjs.com/advisories/803

Running npm audit fix didn't solve the problem as the vulnerability requires manual review. The recommendation at the more info link says to upgrade to version 4.4.2 or later. When I ran npm show tar version I realized I'm running version 4.4.8 so that confused me. I went to package-lock.json and realized node-gyp, which is a dependency of node-sass, is using tar version ^2.0.0

This is confusing me since I've seen many different tar versions as a dependency of other packages but this node-sass > node-gyp > tar version is the only one bellow v4.4.2. Why does it work like that, why do I have to manually fix it and how can I manualy fix/upgrade this one tar package?

score 20 · Accepted Answer · answered Apr 11 '19 at 18:51

20

The issue is being tracked on the gitgub page

https://github.com/sass/node-sass/issues/2625

answered Apr 11 '19 at 18:51

A.J.

904
9
20

score 5 · Answer 2 · answered Apr 19 '19 at 18:25

Please update the value for "tar" in your "package-lock.json" file. And to verify, run "[npm audit][1]".

"tar": {
      "version": "4.4.8",
      "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
      "integrity": "value",
      "dev": true,
      "optional": true,
      "requires": {
        "block-stream": "*",
        "fstream": "^1.0.2",
        "inherits": "2"
      }
    }

score 2 · Answer 3 · answered Apr 15 '19 at 06:33

2

In your package-lock.jason update tar for node to below (v 4.4.8):

"version": "4.4.8", "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz"

answered Apr 15 '19 at 06:33

nobi malik

57
8

7

npm might overwriet these settings so: use npm ci to load your settings from package-lock.jason file instead of package.jason – nobi malik Apr 15 '19 at 06:47
You're comment did for me what no other answer did. Thanks! – catch22 May 16 '19 at 19:26

score 1 · Answer 4 · answered Jun 23 '19 at 13:25

From the SASS github issue: open package-lock.json Find "tar" Which should look like this:

"version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",

Replace those 3 lines with:

"version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",

delete the folder:

node_modules\npm
npm i
npm audit fix
npm audit

Tada!

No need to do that. `npm audit fix` alone will repair it since this issue has been solved and closed as you can see here https://github.com/sass/node-sass/issues/2625 (approved answer above) — Wilbert Caba, Jun 30 '19 at 17:11

How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date?

4 Answers4

Linked