Skip to content

Commit

Permalink
deps: updated tar package version to 4.4.8
Browse files Browse the repository at this point in the history
PR-URL: #1713
Reviewed-By: Refael Ackermann <refack@gmail.com>
  • Loading branch information
MaksPob authored and refack committed Apr 11, 2019
1 parent 5fb19f5 commit 1456ef2
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@
"request": "^2.87.0",
"rimraf": "2",
"semver": "~5.3.0",
"tar": "^3.1.3",
"tar": "^4.4.8",
"which": "1"
},
"engines": {
Expand Down

65 comments on commit 1456ef2

@ogensec
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When can will we have this update please ?

Please... fast ...

@hykw
Copy link

@hykw hykw commented on 1456ef2 Apr 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@romanstingler
Thank you for providing the great package!
I'd appreciate you publish the new version when there is time.

@ogensec
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will we just need to do a "npm update" after the next update distribution ?
this will resolve this ? :
(can't resolve High Arbitrary File Overwrite Package tar
Patched in >=4.4.2
Dependency of node-sass [dev] )

@jhnferraris
Copy link

@jhnferraris jhnferraris commented on 1456ef2 Apr 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any news on this or a workaround so we can reactivate our npm audit check? :)

@giamir
Copy link

@giamir giamir commented on 1456ef2 Apr 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great if you could publish a new version of this package soon. We are currently having a lot of our security pipelines red because of the tar vulnerability. Thanks.

@ram-you
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pieron187
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, this is causing 'yarn audit' fails.

@C-odes
Copy link

@C-odes C-odes commented on 1456ef2 Apr 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any estimated time on when this will be published???

@tzanis
Copy link

@tzanis tzanis commented on 1456ef2 Apr 16, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm audit fails. Do we have any estimation or update one this?

@aittomakia
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wish this would get patched soon

@davidhbrown
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@francoismassart
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When can we fix this ? It's been too long

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ node-sass [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ node-sass > node-gyp > tar                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://nodesecurity.io/advisories/803                       │
└───────────────┴──────────────────────────────────────────────────────────────┘

@pchoudhary-drg
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@I-keep-trying
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@FredPell83
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@romerocs
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@romanstingler
Copy link

@romanstingler romanstingler commented on 1456ef2 Apr 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you guys earn the golden poop.
6 days ago a fix was commited for a critical security issue and you have not released it by now.
You should look for new maintainer for this damn package

@pandukovur
Copy link

@pandukovur pandukovur commented on 1456ef2 Apr 17, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  High            Arbitrary File Overwrite

  Package         tar

  Patched in      >=4.4.2

  Dependency of   @angular-devkit/build-angular [dev]

  Path            @angular-devkit/build-angular > node-sass > node-gyp > tar

  More info       https://npmjs.com/advisories/803

High            Arbitrary File Overwrite

 Package         tar

 Patched in      >=4.4.2

 Dependency of   node-sass [dev]

 Path            node-sass > node-gyp > tar

 More info       https://npmjs.com/advisories/803

Waiting on the latest version to publish as this package is a dev dependency for agular dev servers. When this will be published?

@evanhooff
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@jhnferraris
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any news?

@jhnferraris
Copy link

@jhnferraris jhnferraris commented on 1456ef2 Apr 18, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Referencing issues: #1721 and #1717

@purplelady105
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please release a new version with the latest security patch for tar; npm audit keeps yelling at me :)

@samabp
Copy link

@samabp samabp commented on 1456ef2 Apr 19, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1
@purplelady105 Yeah what she said.

@tkrebs2
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't update my react-scripts package because of this

@onx2
Copy link

@onx2 onx2 commented on 1456ef2 Apr 20, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 Please release this fix. It is a critical security issue that is affecting us all :)

@aayush420
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@omarmok
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't update gulp because of this for 2 days

@suits-at
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@mtzrmzia
Copy link

@mtzrmzia mtzrmzia commented on 1456ef2 Apr 22, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 Please release the fix we all need it

@NaturalDevCR
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@felipecalvo
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a serious vulnerability we'd really like to have fixed as soon as possible. Thanks!

@sportgirl
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@domic6300
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@abadilah1
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@mikern12
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A fix was merged into master for this and the version of node-gyp was increased to 4.0.0, however, I do not think that this was updated in the node-sass table. When I run npm install node-gyp, I do get the 4.0.0 version, but I get an error that I something changed and I need to "Run npm rebuild node-sass to download the binding for your current environment." When I do this, it re-loads the 3.8.x version of node-gyp. Error below from the rebuild of node-sass:

gyp ERR! node -v v9.4.0
gyp ERR! node-gyp -v v3.8.0
gyp ERR! This is a bug in node-gyp.
gyp ERR! Try to update node-gyp and file an Issue if it does not help:
gyp ERR! https://github.com/nodejs/node-gyp/issues
Build failed with error code: 7
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! node-sass@4.11.0 postinstall: node scripts/build.js
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the node-sass@4.11.0 postinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

@marcovalentin
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@mikern12
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see the error. The package-lock.json still has the old values and hash for the old version of node-gyp. I have tried to modify it, but gets overwritten every time there is an update for npm

@RandomErrorMessage
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The absolute state of NodeJS

@MartCube
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does anyone found a side solution for this ?

@aayush420
Copy link

@aayush420 aayush420 commented on 1456ef2 Apr 25, 2019 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@LaurelineP
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • 1 for node-sass ...

@gontranbezerra
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@gigi206
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@Morb0
Copy link

@Morb0 Morb0 commented on 1456ef2 Apr 29, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@Lucas-Marchand
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@Lucas13600
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does anyone know how I can keep working (running localhost & deploying my website) while this issue isn't fixed yet ?

Thanks folks

@morgantkb
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@jamilservicos
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

my manual fix:

$ npm --version
6.9.0

$ npm uninstall --save tar
found 0 vulnerabilities

$ npm install --save-dev tar
+ tar@4.4.8
found 0 vulnerabilities

$ npm audit fix
fixed 0 of 0 vulnerabilities

@purplelady105
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does anyone know how I can keep working (running localhost & deploying my website) while this issue isn't fixed yet ?

Thanks folks

@Lucas13600

I just manually updated the tar version number in every occurrence in my package-lock.json file. Granted, it will try to overwrite these version numbers if you install anything else or run npm update, but it's only meant to be a temporary fix.

@Lucas13600
Copy link

@Lucas13600 Lucas13600 commented on 1456ef2 May 2, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just manually updated the tar version number in every occurrence in my package-lock.json file. Granted, it will try to overwrite these version numbers if you install anything else or run npm update, but it's only meant to be a temporary fix.

@purplelady105

Thanks a lot ! I am pretty new to coding, so needed a little help, thanks 👍
Which version number did you pick for the tar ?

@tomrcht
Copy link

@tomrcht tomrcht commented on 1456ef2 May 3, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Lucas13600 you should use the latest: 4.4.8

@Lucas13600
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When will it be fixed ?
Even when I updated my tar version manually, if I run npm audit I get "found 0 vulnerabilities" but
I still cannot use npm run dev because I get this :
"> web-app@1.0.0 dev /Users/ldu/Desktop/web-app

webpack-dev-server --inline --progress --config build/webpack.dev.conf.js

internal/modules/cjs/loader.js:613
throw err;
^

Error: Cannot find module './lib/bytesToUuid'
Require stack:

  • /Users/ldu/Desktop/web-app/node_modules/uuid/v4.js
  • /Users/ldu/Desktop/web-app/node_modules/sockjs/lib/transport.js
  • /Users/ldu/Desktop/web-app/node_modules/sockjs/lib/trans-websocket.js
  • /Users/ldu/Desktop/web-app/node_modules/sockjs/lib/sockjs.js
  • /Users/ldu/Desktop/web-app/node_modules/sockjs/index.js
  • /Users/ldu/Desktop/web-app/node_modules/webpack-dev-server/lib/Server.js
  • /Users/ldu/Desktop/web-app/node_modules/webpack-dev-server/bin/webpack-dev-server.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:610:15)
    at Function.Module._load (internal/modules/cjs/loader.js:526:27)
    at Module.require (internal/modules/cjs/loader.js:666:19)
    at require (internal/modules/cjs/helpers.js:16:16)
    at Object. (/Users/ldu/Desktop/web-app/node_modules/uuid/v4.js:2:19)
    at Module._compile (internal/modules/cjs/loader.js:759:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:770:10)
    at Module.load (internal/modules/cjs/loader.js:628:32)
    at Function.Module._load (internal/modules/cjs/loader.js:555:12)
    at Module.require (internal/modules/cjs/loader.js:666:19)
    npm ERR! code ELIFECYCLE
    npm ERR! errno 1
    npm ERR! web-app@1.0.0 dev: webpack-dev-server --inline --progress --config build/webpack.dev.conf.js
    npm ERR! Exit status 1
    npm ERR!
    npm ERR! Failed at the web-app@1.0.0 dev script.
    npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR! /Users/ldu/.npm/_logs/2019-05-13T11_22_31_372Z-debug.log"

Can anyone help me through this ?

I really don't get what is going on...

@ogensec

This comment was marked as off-topic.

@ogensec
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There should be an version upgrade ASAP

"ASAP" ???? Do you know what that mean ?

@addaleax
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@OG3NS3C Hi! While I understand your frustration, I’d like to remind you that this project is governed by a Code of Conduct, and we’d like to keep comments productive and professional. I’ve hidden your previous comment due to its wording (as well as its excessive length, which makes this discussion harder to follow than it already is).

That being said, my understanding is that the underlying security issue has already been addressed: #1717 (comment)

@ogensec
Copy link

@ogensec ogensec commented on 1456ef2 May 26, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok no problem, how much time we will wait ? I have 36 vulnerability cause of this ... I can't launch my project in production ...

@addaleax
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@OG3NS3C In your case, the issue appears to be that you have a dependency chain like this:

@vue/cli-service > webpack > chrome-trace-event > npm > npm-lifecycle > node-gyp > tar

Ultimately, your depencies are outdated because @vue/cli-service explicitly forbids using an up-to-date version of webpack: https://github.com/vuejs/vue-cli/blob/5f879c4b5d2e50fb23b5e35ec6f635fc5f80e796/packages/%40vue/cli-service/package.json#L75, and so the node-gyp dependency cannot be updated.

So, it looks like your issue is more with the vue CLI package than with the node-gyp one.

@ogensec
Copy link

@ogensec ogensec commented on 1456ef2 May 26, 2019 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@aayush420
Copy link

@aayush420 aayush420 commented on 1456ef2 May 26, 2019 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@addaleax
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@OG3NS3C Without more information, I probably can’t help you either. I think opening an issue at https://github.com/vuejs/vue-cli/issues might be a good step, in order to start talking to the right people?

Depending on your situation – which we know very little about, you could also try to fork @vue/cli-service and use an updated version of webpack from that fork.

(But for this thread, the current situation still is: At this point, from the node-gyp point of view we can’t really do anything anymore besides what we have done.)

Please sign in to comment.