High NPM vulnerability - Arbitrary File Overwrite

[marc-wilson]

🐞 Bug report

Command (mark with an x)

- [ ] new
- [x] build
- [ ] serve
- [ ] test
- [ ] e2e
- [ ] generate
- [x] add
- [x] update
- [ ] lint
- [ ] xi18n
- [ ] run
- [ ] config
- [ ] help
- [ ] version
- [ ] doc

Is this a regression?

Yes, the previous version in which this bug was not present was: ....

Description

│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @angular-devkit/build-angular [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ @angular-devkit/build-angular > node-sass > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘

It looks like there's an npm vulnerability in the current angular build. I believe it may be related to this:

• [Security] Vulnerability in tar sass/node-sass#2625

• https://stackoverflow.com/questions/55637789/npm-audit-fix-1-high-severity-vulnerability-arbitrary-file-overwrite

A clear and concise description of the problem...

🔬 Minimal Reproduction

🔥 Exception or Error

🌍 Your Environment

Angular CLI: 7.3.8
Node: 10.15.3
OS: darwin x64
Angular: 7.2.13
... animations, common, compiler, compiler-cli, core, forms
... http, language-service, platform-browser
... platform-browser-dynamic, platform-server, router

Package                           Version
-----------------------------------------------------------
@angular-devkit/architect         0.13.8
@angular-devkit/build-angular     0.13.8
@angular-devkit/build-optimizer   0.13.8
@angular-devkit/build-webpack     0.13.8
@angular-devkit/core              7.3.8
@angular-devkit/schematics        7.3.8
@angular/cdk                      7.3.7
@angular/cli                      7.3.8
@angular/material                 7.3.7
@ngtools/webpack                  7.3.8
@schematics/angular               7.3.8
@schematics/update                0.13.8
rxjs                              6.4.0
typescript                        3.2.4
webpack                           4.29.0

Anything else relevant?

[clydin]

Duplicate of #14138

[subhashkonda]

Do we have the fix ready for this, npm audit fix or explicit npm install tar is not helping in this case.

[marc-wilson]

@subhashkonda this was closed because it's a duplicate. See #14138 for details.

[subhashkonda]

Thanks @mswilson4040, may I know the ETA for this ? If so that would be great.

[marc-wilson]

@subhashkonda Please refer to my previous comment. I am not associated with any of these teams, so I do not have an ETA. If you look in that original ticket (referenced in my previous comment), there is some chatter about timelines. You can read those to come to your own conclusion as to what an actual time frame may be.

[dmytro-gokun]

Looks like the downstream dependency that caused the problem is fixed now. Just did clean "npm install" after removing "/node_modules" and "package-lock.json" and that was it 🔨

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}