How to resolve npm vulnerability with npm as the dependent package involved?

Question

So I run npm audit and all of the vulnerabilities are due to some dependency in npm, particularly node-gyp which is using a vulnerable version of tar. Note that I don’t have node-gyp in my package.json.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.2.2 <3.0.0 || >=4.4.2                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ npm                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ npm > npm-lifecycle > node-gyp > tar                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

I tried updating to the latest version of npm but I still get the same audit report. It’s quite nested. How do I resolve this?

Upgrading Node and NPM won't change the version of [*the package `npm`*](https://www.npmjs.com/package/npm) that you depend on. If you want to update a transitive/nested dependency, see e.g. https://stackoverflow.com/q/15806152/3001761. — jonrsharpe, Jun 26 '19 at 09:26

How to resolve npm vulnerability with npm as the dependent package involved?

0 Answers0