npm audit Arbitrary File Overwrite
I recently updated my version of angular using ng update
and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of @angular-devkit/build-angular [dev]
Path @angular-devkit/build-angular > node-sass > node-gyp > tar
More info https://npmjs.com/advisories/803
found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.
I thought of installing npm i tar but I am not sure.
Answer
The following worked for me:
Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.
Then run:
- npm i
- npm audit
- npm audit fix
- npm audit
you should see 0 vulnerabilities.
I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.