High severity vulnerability found in fsevents >node-pre-gyp >tar #6790
Comments
kaiwen-zhang-ck
changed the title
kaiwen-zhang-ck
changed the title
|
npm i node-pre-gyp |
|
There isn't really anything we can do to fix this, other than updating these dependencies when new versions are released. |
|
If you just install node-gyp, you'll have that issue. Installing node-pre-gyp too removes the problem. |
…rity vulnerability warning cf. facebook/create-react-app#6790 cf. fsevents/fsevents#262
|
Apparently there is a version 2.0 of fsevents that does not have a dependency to node-pre-gyp. Maybe bumping the version of fsevents could fix this. I'm not sure if that would cause a breaking change to react-scripts. |
Sadly this doesn't work for me - still get the audit errors |
|
Then another option I read about is to play with package-lock.json (set all tar to updated version), and use npm ci instead of i source: https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions hope this helps more than my previous |
Given that there is a high security risk vulnerability, would it be possible to push out a minor/patch update for react-scripts that does just that? |
|
@kaiwen-zhang-ck managed to get a fix https://github.com/mapbox/node-pre-gyp/issues/446 I've just updated the tar version in the package-lock.json, saved and ran |
|
Is it a good practice to change package-lock.json directly? I thought we should not |
|
@adred8 I'm not sure if it's good practice, seen plenty of people saying to do it, but I don't know for sure. At any rate, I've noticed that after updating package-lock and doing an |
|
In the article I cited they say that if you use npm ci (clean install) it shouldn't overwrite the changes you did in the .lock.json |
|
Same issue here on ubuntu.. I would be happy of this small fix in the react-script since we are now dealing with high vulnerabilities... |
|
@amdp I shall give it a try. I wasn't doing it as a quick fix, I'm pretty new to dealing with dependency trees and trying to get my head around doing things well and understanding why |
|
Keep in mind I am a noob as well so I am -maybe- just good at explaining what other people were showing as a solution |
|
kaiwen had posted the answer in another thread, which I shared above. I was trying to point people with the same issue to his solution, and confirm that it worked for me (even though it later didn't seem to be. Hopefully get time tomorrow to look at it again! |
|
Updating all |
|
@HarisSpahija But how did you do that if node-gyp requires |
That solves the issue, but its not a good practice to directly update dependencies in package-lock.json. |
Exactly, you need to update the versions, especially all the tar version under react-scripts package to 4.4.2 and above to remediate Arbitrary File Overwrite vulnerability. |
|
Yes, like I said, we will update these packages. A new version of |
|
we there yet? ;P Just came across it now. |
|
This should be fixed by our 3.0 release. Can you confirm? |
|
@ianschmitz yes, 3.0 is good. |
Using Synk, I found security vulnerability from package
node-pre-gypin the package tar. This was discovered on Synk April 4 2019.Please see Synk screenshots
You can see details about this vulnerability here
https://snyk.io/vuln/SNYK-JS-TAR-174125
Because, I imagine many teams will not be able to use React Scripts. What is the best way to go about this? I filed an issue with the
node-pre-gypteam but it seems like to fix this we will needfseventsto be updated as well. Any ideas?The text was updated successfully, but these errors were encountered: