My issue is pretty much similar to this: How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date?
Installed node v17.2.0 and npm v8.2.0 using brew on a Mac. npm audit keeps giving me these three vulnerabilities
# npm audit report
tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
fix available via `npm audit fix`
node_modules/tar-pack/node_modules/tar
tar-pack *
Depends on vulnerable versions of tar
node_modules/tar-pack
create-react-app >=1.3.0-alpha.58689133
Depends on vulnerable versions of tar-pack
node_modules/create-react-app
3 high severity vulnerabilities
It says fix is available via npm audit fix and I try that but it doesn't change anything.
package-lock.json file tells me that the tar version is 6.1.11 and so does npm show tar version. The only place where I find a tar version <= 4.4.17 is under the tar-pack dependencies. I tried to manually change it to 6.1.11. But, it magically reverts back whenever I try use npm audit fix.
I have no idea what is going wrong.
