I just installed Flickity from NPM and got an NPM Audit Security Report after running npm audit
stating that I have a high vulnerability issue regarding Arbitrary File Overwrite on package tar which is a dependency of node-sass as you can see here:
High......................... Arbitrary File Overwrite
Package...................... tar
Patched in................... >=4.4.2
Dependency of................ node-sass [dev]
Path......................... node-sass > node-gyp > tar
More info.................... https://npmjs.com/advisories/803
Running npm audit fix
didn't solve the problem as the vulnerability requires manual review. The recommendation at the more info link says to upgrade to version 4.4.2
or later. When I ran npm show tar version
I realized I'm running version 4.4.8
so that confused me. I went to package-lock.json
and realized node-gyp, which is a dependency of node-sass, is using tar version ^2.0.0
This is confusing me since I've seen many different tar versions as a dependency of other packages but this node-sass > node-gyp > tar version
is the only one bellow v4.4.2
. Why does it work like that, why do I have to manually fix it and how can I manualy fix/upgrade this one tar package?
question from:
https://stackoverflow.com/questions/55638180/how-to-fix-npm-package-tar-with-high-vulnerability-about-arbitrary-file-overwri 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…