Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm audit vulnerability in tar #2036

Closed
starpit opened this issue Apr 12, 2019 · 6 comments
Closed

npm audit vulnerability in tar #2036

starpit opened this issue Apr 12, 2019 · 6 comments

Comments

@starpit
Copy link

starpit commented Apr 12, 2019
edited

npm install results in audit errors:

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ lerna [dev]                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ lerna > @lerna/add > @lerna/bootstrap > @lerna/run-lifecycle │
│               │ > npm-lifecycle > node-gyp > tar                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

this seems to emanate here: npm/npm-lifecycle#28

Expected Behavior

Current Behavior

Possible Solution

Steps to Reproduce (for bugs)

  1. npm install
lerna.json

<!-- Please paste your `lerna.json` here -->

lerna-debug.log

<!-- If you have a `lerna-debug.log` available, please paste it here -->
<!-- Otherwise, feel free to delete this <details> block -->

Context

Your Environment

Executable Version
lerna --version 3.13.2
npm --version 6.4.1
yarn --version n/a
node --version v10.15.3
OS Version
NAME VERSION
@starpit starpit mentioned this issue Apr 12, 2019
Closed
@ntwb ntwb mentioned this issue Apr 15, 2019
Merged
@blankey1337 blankey1337 mentioned this issue Apr 17, 2019
Merged
@lerna lerna deleted a comment from alxpereira Apr 17, 2019
@evocateur
Copy link
Member

This has been fixed upstream, awaiting release. Closing as it is not a lerna issue.

@romain-faust romain-faust mentioned this issue Apr 18, 2019
Closed
@pcowgill
Copy link
Contributor

pcowgill commented May 2, 2019

FYI here's the fix in npm-lifecycle npm/npm-lifecycle#34

@draffensperger draffensperger mentioned this issue May 3, 2019
Merged
@rbuckton
Copy link
Contributor

rbuckton commented May 8, 2019

There's been no activity from the npm team on npm/npm-lifecycle#34 in almost a week. @zkochan mentioned that he put together a fork of npm-lifecycle that has this fix. Is the lerna team planning to wait on npm/npm-lifecycle#34 or use https://github.com/zkochan/lifecycle in the near future?

@evocateur
Copy link
Member

fixed in v2.1.1 of npm-lifecycle: npm/npm-lifecycle@e96f550

@ktalebian
Copy link

When can we expect @lerna/run-lifecycle to bump npm-lifecycle?

@evocateur
Copy link
Member

evocateur commented May 8, 2019 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@evocateur @ktalebian @pcowgill @rbuckton @starpit