Update current vulnerable version of tar

Question

Update current vulnerable version of tar

TyrealGray opened this issue 5 years ago · comments

See here https://nvd.nist.gov/vuln/detail/CVE-2018-20834

Kræn Hansen · Answer 1 · Thu Nov 03 2022 22:05:52 GMT+0800 (China Standard Time)

I can verify this is still an issue.
This is the output from running npm audit in a repository with the latest version of nw-gyp installed:

tar  <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
No fix available
node_modules/tar
  nw-gyp  *
  Depends on vulnerable versions of tar
  node_modules/nw-gyp

2 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

I verified that the latest version of node-gyp doesn't have this and I'd think a rebase is in due time.