High Severity - npm audit security issue: Arbitrary File Overwrite

[JayeshThamke]

npm module hippie installed v0.5.2 returned npm audit security vulnerability threat on npm install.

I did not find tar dependency inside hippie module in the project. Is there any solution on this vulnerability? Thanks

Following is npm audit report.
=== npm audit security report ===
Manual Review
Some vulnerabilities require your attention to resolve
Visit https://go.npm.me/audit-guide for additional guidance
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of hippie [dev]
Path hippie > npm > libcipm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of hippie [dev]
Path hippie > npm > libnpm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of hippie [dev]
Path hippie > npm > node-gyp > tar
More info https://npmjs.com/advisories/803
High Arbitrary File Overwrite
Package tar
Patched in >=4.4.2
Dependency of hippie [dev]
Path hippie > npm > npm-lifecycle > node-gyp > tar
More info https://npmjs.com/advisories/803
found 4 high severity vulnerabilities in 13578 scanned packages
4 vulnerabilities require manual review. See the full report for details.

[iilei]

workaround;
npm audit fix
helped in my case.

tar is a dependency due to

└─┬ hippie@0.5.2
  └─┬ npm@6.9.0
    └─┬ node-gyp@3.8.0
      └─┬ tar@2.2.2
        └── block-stream@0.0.9 

So it seems the latest npm is causing this vulnerability

edit: I filed an issue at npm