Reputation: 107
npm audit fix: 1 high severity vulnerability: Arbitrary File Overwrite
=== npm audit security report ===
┌───────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└───────────────────────────────────────────────────────────────────┘
┌───────────────┬───────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼───────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼───────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼───────────────────────────────────────────────────┤
│ Dependency of │ gulp-sass │
├───────────────┼───────────────────────────────────────────────────┤
│ Path │ gulp-sass > node-sass > node-gyp > tar │
├───────────────┼───────────────────────────────────────────────────┤
│ More info │ https://nodesecurity.io/advisories/803 │
└───────────────┴───────────────────────────────────────────────────┘
found 1 high severity vulnerability in 7659 scanned packages
1 vulnerability requires manual review. See the full report for details.
Upvotes: 7
Views: 10576
Answers (2)
Reputation: 1
A security audit is an assessment of package dependencies for security vulnerabilities. Security audits help you protect your package’s users by enabling you to find and fix known vulnerabilities in dependencies that could cause data loss, service outages, unauthorized access to sensitive information, or other issues.
npm install npm@latest -g
that worked for me
Upvotes: 0
Reputation: 1602
My suggestion would be to attempt to upgrade, but they do look to be dependant on 3rd party packages.
For the regexDOS, if the right input goes in, it could grind things down to a stop. Unlike the second vulnerability. You should stride to upgrade this one first or remove it completely if you can't.
But js-yaml might keep some connections lingering for longer than it should, if in the unlikely case that you can't upgrade, there are packages out there that you could use to monitor and close off remaining http connections and cheaply hold-off a small dos attack. Fail2ban * Splunk for monitoring spring to mind for linux :)
Upvotes: 1
Related Questions
- How to fix npm vulnerabilities manually?
- How do I manually `npm audit fix` a single security issue?
- npm audit fix --force never able to avoid vulnerabilities
- I cannot fix node vulnerabilities even with npm audit fix --force
- npm audit return 400 Bad Request
- npm audit fix --force is not fixing any problems
- Npm audit issues
- Running suggested command doesn't fix NPM Vulnerability
- NPM install error? Vulnerabilities found
- NPM Audit fixes