New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability in "tar" #1147
Comments
For anyone feeling they're blocked by this, as stated by a maintainer here on another similar issue, on See https://yarnpkg.com/lang/en/docs/selective-version-resolutions/ |
@pyrho thanks for this. However we aren't in a position to move to |
Why is this issue on semantic-release anyways? The problem is in a dep of node-gyp, and I believe it's getting backported to all versions? nodejs/node-gyp#1713 |
Also the issue itself is likely not even something that affects you the way node-gyp uses it - it's a pity there is no way to silence the alerts in npm audit, but in this case you totally should, unless you don't trust tars of node headers distributed via official repos. |
I guess it's time to say goodbye to npm in favor of yarn once and for all. Luckily we were pretty far down that road already anyways :) Edit: Oh boy. Thanks for all the downvotes. See below for explanation before adding more downvotes (I've also quoted the corresponding reply). This was not bashing on npm but rather pointing out a missing feature in npm. |
@simlu funny you should say that. If I read the code correctly, yarn uses the exact same version of node-gyp as npm does. Not only that, if you were to |
Ok, so I did some digging around. This is definitely not the repository that "causes" or "needs to fix" the issue. But please, fighting over "use yarn instead of npm" doesn't help (at all)... To sum up the difficulties:
There are no simple solutions for this issue. Although it's always a good idea to sum some up.
This security issue has been rough on the community, on all of us. Again, I don't think it helps anything to be negative to each other or letting this escalate further. Luckily for us, the guys/girls from the Node.js Foundation Technical Steering Committee have recognized this issue and should be talking about this today (2019-04-24). I sincerely hope they can come up with something, else we probably have to wait until NPM and |
@dominykas I'm a little lost. I think there is some serious confusion here. Let me try to put this together. I'm not saying that semantic-release should use yarn instead of npm. I'm saying that (wrt the first response to this ticket), we switching our projects that use semantic-release from using npm for installing the package.json file to using yarn for doing that. The reason being that yarn allows you to forcefully upgrade nested sub-dependencies, but npm doesn't. Does that make sense? The fact that the vulnerability exists inside a sub-dependency inside semantic-release which happens to be npm, has nothing to do with my reply above. Apologies if I misunderstand something here. But that's what I concluded... At no point was this meant to be offensive or an argument. I was simply happy to find a fix for the vulnerability and yarn provided it while npm didn't. |
I think I missed your point too, I totally forgot you can do that too... I read some irritations that "hits close to home", wanted to find out once and for all if I could do anything. Sorry if this was a bombshell @simlu, definitely not intended as one! |
Sorry, I probably read that as a snark and responded without stopping to think if it's constructive.
It's a very powerful feature. Dangerous too. But I guess that's veering offtopic. |
This is no fix for the tar vulnerability right now: semantic-release/semantic-release#1147 Since all audit issues occur with devDependencies only, and because our distribution will not include any devDependencies, I'm choosing the ignore audit issues for now.
Thanks @byCedric for the detailed explanation. |
Current behavior
npm audit
fails due to security vulnerabilities in the package tarThis is present in version
15.13.3
The text was updated successfully, but these errors were encountered: