发表新帖
发表新帖

How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date?

后端 未结
关注
4 1614
眼角桃花
眼角桃花 2021-02-01 14:19

I just installed Flickity from NPM and got an NPM Audit Security Report after running npm audit stating that I have a high vulnerability issue regarding Arbitra

相关标签:
4条回答
  • 春和景丽
    2021-02-01 14:45

    The issue is being tracked on the gitgub page

    https://github.com/sass/node-sass/issues/2625

    0 讨论(0)
  • 盖世英雄少女心
    2021-02-01 14:56

    In your package-lock.jason update tar for node to below (v 4.4.8):

    "version": "4.4.8", "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz"

    0 讨论(0)
  • 名媛妹妹
    2021-02-01 14:57

    Please update the value for "tar" in your "package-lock.json" file. And to verify, run "[npm audit][1]".

    "tar": {
      "version": "4.4.8",
      "resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
      "integrity": "value",
      "dev": true,
      "optional": true,
      "requires": {
        "block-stream": "*",
        "fstream": "^1.0.2",
        "inherits": "2"
      }
    }
    0 讨论(0)
  • 猫巷女王i
    2021-02-01 15:01

    From the SASS github issue: open package-lock.json Find "tar" Which should look like this:

    "version": "2.2.1",
"resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
"integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",

    Replace those 3 lines with:

    "version": "4.4.8",
"resolved": "https://registry.npmjs.org/tar/-/tar-4.4.8.tgz",
"integrity": "sha512-LzHF64s5chPQQS0IYBn9IN5h3i98c12bo4NCO7e0sGM2llXQ3p2FGC5sdENN4cTW48O915Sh+x+EXx7XW96xYQ==",

    delete the folder:

    node_modules\npm
npm i
npm audit fix
npm audit

    Tada!

    0 讨论(0)
 看不清?
提交回复
热议问题