New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
High NPM vulnerability - Arbitrary File Overwrite #14221
Comments
Duplicate of #14138 |
Do we have the fix ready for this, npm audit fix or explicit npm install tar is not helping in this case. |
@subhashkonda this was closed because it's a duplicate. See #14138 for details. |
Thanks @mswilson4040, may I know the ETA for this ? If so that would be great. |
@subhashkonda Please refer to my previous comment. I am not associated with any of these teams, so I do not have an ETA. If you look in that original ticket (referenced in my previous comment), there is some chatter about timelines. You can read those to come to your own conclusion as to what an actual time frame may be. |
Looks like the downstream dependency that caused the problem is fixed now. Just did clean "npm install" after removing "/node_modules" and "package-lock.json" and that was it 🔨 |
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
🐞 Bug report
Command (mark with an
x
)Is this a regression?
Yes, the previous version in which this bug was not present was: ....Description
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @angular-devkit/build-angular > node-sass > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
It looks like there's an npm vulnerability in the current angular build. I believe it may be related to this:
[Security] Vulnerability in
tar
sass/node-sass#2625https://stackoverflow.com/questions/55637789/npm-audit-fix-1-high-severity-vulnerability-arbitrary-file-overwrite
🔬 Minimal Reproduction
🔥 Exception or Error
🌍 Your Environment
Anything else relevant?
The text was updated successfully, but these errors were encountered: