npm audit Arbitrary File Overwrite

mruanova picture mruanova · Apr 11, 2019 · Viewed 9.8k times · Source

I recently updated my version of angular using ng update and when running npm audit it found 1 high severity vulnerability but offered no suggestions on how to resolve it. It usually suggests to upgrade a package from package.json like: "angular-devkit/build-angular" but I am already using their latest version.

                   === npm audit security report ===                        


                             Manual Review                                  
         Some vulnerabilities require your attention to resolve             

      Visit https://go.npm.me/audit-guide for additional guidance           


High            Arbitrary File Overwrite                                      

Package         tar                                                           

Patched in      >=4.4.2                                                       

Dependency of   @angular-devkit/build-angular [dev]                           

Path            @angular-devkit/build-angular > node-sass > node-gyp > tar    

More info       https://npmjs.com/advisories/803                              

found 1 high severity vulnerability in 29707 scanned packages
1 vulnerability requires manual review. See the full report for details.

I thought of installing npm i tar but I am not sure.

Answer

Spiderman picture Spiderman · Apr 24, 2019

The following worked for me:

Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.

Then run:

  1. npm i
  2. npm audit
  3. npm audit fix
  4. npm audit

you should see 0 vulnerabilities.

I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.