如何修复 NPM 包 Tar,当包是最新的时,存在任意文件覆盖的高漏洞? [英] How to fix NPM package Tar, with high vulnerability about Arbitrary File Overwrite, when package is up to date?
问题描述
我刚刚从 NPM 安装了 Flickity,并在运行 npm audit
后得到了一份 NPM 审计安全报告,指出我在软件包 任意文件覆盖的高漏洞问题>tar 是 node-sass 的一个依赖项,你可以在这里看到:
I just installed Flickity from NPM and got an NPM Audit Security Report after running npm audit
stating that I have a high vulnerability issue regarding Arbitrary File Overwrite on package tar which is a dependency of node-sass as you can see here:
High......................... Arbitrary File Overwrite
Package...................... tar
Patched in................... >=4.4.2
Dependency of................ node-sass [dev]
Path......................... node-sass > node-gyp > tar
More info.................... https://npmjs.com/advisories/803
运行 npm audit fix
没有解决问题,因为该漏洞需要人工审查.更多信息 链接中的建议说升级到 4.4.2
或更高版本.当我运行 npm show tar version
时,我意识到我运行的是 4.4.8
版本,这让我很困惑.我去了 package-lock.json
并意识到 node-gyp,它是 node-sass 的一个依赖项,正在使用 tar 版本 ^2.0.0强>
Running npm audit fix
didn't solve the problem as the vulnerability requires manual review. The recommendation at the more info link says to upgrade to version 4.4.2
or later. When I ran npm show tar version
I realized I'm running version 4.4.8
so that confused me. I went to package-lock.json
and realized node-gyp, which is a dependency of node-sass, is using tar version ^2.0.0
这让我很困惑,因为我已经看到许多不同的 tar 版本作为其他包的依赖项,但是这个 node-sass >节点-gyp >tar 版本
是唯一低于v4.4.2
的版本.为什么它会这样工作,为什么我必须手动修复它以及如何手动修复/升级这个 tar 包?
This is confusing me since I've seen many different tar versions as a dependency of other packages but this node-sass > node-gyp > tar version
is the only one bellow v4.4.2
. Why does it work like that, why do I have to manually fix it and how can I manualy fix/upgrade this one tar package?
推荐答案
问题正在gitgub页面跟踪
The issue is being tracked on the gitgub page
https://github.com/sass/node-sass/issues/2625
这篇关于如何修复 NPM 包 Tar,当包是最新的时,存在任意文件覆盖的高漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!