Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
deps: updated tar package version to 4.4.8
PR-URL: #1713 Reviewed-By: Refael Ackermann <[email protected]>
- Loading branch information
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When can will we have this update please ?
Please... fast ...
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@romanstingler
Thank you for providing the great package!
I'd appreciate you publish the new version when there is time.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will we just need to do a "npm update" after the next update distribution ?
this will resolve this ? :
(can't resolve High Arbitrary File Overwrite Package tar
Patched in >=4.4.2
Dependency of node-sass [dev] )
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any news on this or a workaround so we can reactivate our
npm audit
check? :)1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be great if you could publish a new version of this package soon. We are currently having a lot of our security pipelines red because of the tar vulnerability. Thanks.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do because https://npmjs.com/advisories/803
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, this is causing 'yarn audit' fails.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any estimated time on when this will be published???
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
npm audit
fails. Do we have any estimation or update one this?1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wish this would get patched soon
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When can we fix this ? It's been too long
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you guys earn the golden poop.
6 days ago a fix was commited for a critical security issue and you have not released it by now.
You should look for new maintainer for this damn package
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Waiting on the latest version to publish as this package is a dev dependency for agular dev servers. When this will be published?
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any news?
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Referencing issues: #1721 and #1717
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please release a new version with the latest security patch for tar;
npm audit
keeps yelling at me :)1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
@purplelady105 Yeah what she said.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't update my
react-scripts
package because of this1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 Please release this fix. It is a critical security issue that is affecting us all :)
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can't update gulp because of this for 2 days
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 Please release the fix we all need it
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a serious vulnerability we'd really like to have fixed as soon as possible. Thanks!
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A fix was merged into master for this and the version of node-gyp was increased to 4.0.0, however, I do not think that this was updated in the node-sass table. When I run npm install node-gyp, I do get the 4.0.0 version, but I get an error that I something changed and I need to "Run
npm rebuild node-sass
to download the binding for your current environment." When I do this, it re-loads the 3.8.x version of node-gyp. Error below from the rebuild of node-sass:gyp ERR! node -v v9.4.0
gyp ERR! node-gyp -v v3.8.0
gyp ERR! This is a bug in
node-gyp
.gyp ERR! Try to update node-gyp and file an Issue if it does not help:
gyp ERR! https://github.com/nodejs/node-gyp/issues
Build failed with error code: 7
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] postinstall:
node scripts/build.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] postinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see the error. The package-lock.json still has the old values and hash for the old version of node-gyp. I have tried to modify it, but gets overwritten every time there is an update for npm
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The absolute state of NodeJS
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does anyone found a side solution for this ?
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does anyone know how I can keep working (running localhost & deploying my website) while this issue isn't fixed yet ?
Thanks folks
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
my manual fix:
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Lucas13600
I just manually updated the
tar
version number in every occurrence in my package-lock.json file. Granted, it will try to overwrite these version numbers if you install anything else or runnpm update
, but it's only meant to be a temporary fix.1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@purplelady105
Thanks a lot ! I am pretty new to coding, so needed a little help, thanks 👍
Which version number did you pick for the
tar
?1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Lucas13600 you should use the latest:
4.4.8
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When will it be fixed ?
Even when I updated my
tar
version manually, if I runnpm audit
I get "found 0 vulnerabilities" butI still cannot use
npm run dev
because I get this :"> [email protected] dev /Users/ldu/Desktop/web-app
internal/modules/cjs/loader.js:613
throw err;
^
Error: Cannot find module './lib/bytesToUuid'
Require stack:
at Function.Module._resolveFilename (internal/modules/cjs/loader.js:610:15)
at Function.Module._load (internal/modules/cjs/loader.js:526:27)
at Module.require (internal/modules/cjs/loader.js:666:19)
at require (internal/modules/cjs/helpers.js:16:16)
at Object. (/Users/ldu/Desktop/web-app/node_modules/uuid/v4.js:2:19)
at Module._compile (internal/modules/cjs/loader.js:759:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:770:10)
at Module.load (internal/modules/cjs/loader.js:628:32)
at Function.Module._load (internal/modules/cjs/loader.js:555:12)
at Module.require (internal/modules/cjs/loader.js:666:19)
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! [email protected] dev:
webpack-dev-server --inline --progress --config build/webpack.dev.conf.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the [email protected] dev script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/ldu/.npm/_logs/2019-05-13T11_22_31_372Z-debug.log"
Can anyone help me through this ?
I really don't get what is going on...
This comment was marked as off-topic.
Sorry, something went wrong.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"ASAP" ???? Do you know what that mean ?
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@OG3NS3C Hi! While I understand your frustration, I’d like to remind you that this project is governed by a Code of Conduct, and we’d like to keep comments productive and professional. I’ve hidden your previous comment due to its wording (as well as its excessive length, which makes this discussion harder to follow than it already is).
That being said, my understanding is that the underlying security issue has already been addressed: #1717 (comment)
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok no problem, how much time we will wait ? I have 36 vulnerability cause of this ... I can't launch my project in production ...
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@OG3NS3C In your case, the issue appears to be that you have a dependency chain like this:
Ultimately, your depencies are outdated because
@vue/cli-service
explicitly forbids using an up-to-date version of webpack: https://github.com/vuejs/vue-cli/blob/5f879c4b5d2e50fb23b5e35ec6f635fc5f80e796/packages/%40vue/cli-service/package.json#L75, and so the node-gyp dependency cannot be updated.So, it looks like your issue is more with the vue CLI package than with the node-gyp one.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
1456ef2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@OG3NS3C Without more information, I probably can’t help you either. I think opening an issue at https://github.com/vuejs/vue-cli/issues might be a good step, in order to start talking to the right people?
Depending on your situation – which we know very little about, you could also try to fork
@vue/cli-service
and use an updated version ofwebpack
from that fork.(But for this thread, the current situation still is: At this point, from the node-gyp point of view we can’t really do anything anymore besides what we have done.)