Why I can't update npm package dependancy?

Question

I've done npm audit and it showed me that I have one High vulnerability. That's the information that it gave to me:

┌───────────────┬─────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                        │
├───────────────┼─────────────────────────────────────────────────┤
│ Package       │ tar                                             │
├───────────────┼─────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                         │
├───────────────┼─────────────────────────────────────────────────┤
│ Dependency of │ node-sass-chokidar                              │
├───────────────┼─────────────────────────────────────────────────┤
│ Path          │ node-sass-chokidar > node-sass > node-gyp > tar │
├───────────────┼─────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                |
└───────────────┴─────────────────────────────────────────────────┘

I looked at my package-lock.json for node-gyp package and I found that tar package still has version 2.0.0 however I need 4.4.8:

"node-gyp": {
    "version": "3.8.0",
    "resolved": "https://registry.npmjs.org/node-gyp/-/node-gyp-3.8.0.tgz",
    "integrity": "sha512-3g8lYefrRRzvGeSowdJKAKyks8oUpLEd/DyPV4eMhVlhJ0aNaZqIrNUIPuEWWTAoPqyFkfGrM67MC69baqn6vA==",
    "requires": {
        "fstream": "^1.0.0",
        "glob": "^7.0.3",
        "graceful-fs": "^4.1.2",
        "mkdirp": "^0.5.0",
        "nopt": "2 || 3",
        "npmlog": "0 || 1 || 2 || 3 || 4",
        "osenv": "0",
        "request": "^2.87.0",
        "rimraf": "2",
        "semver": "~5.3.0",
        "tar": "^2.0.0",
        "which": "1"
    },
    "dependencies": {
        "nopt": {
            "version": "3.0.6",
            "resolved": "https://registry.npmjs.org/nopt/-/nopt-3.0.6.tgz",
            "integrity": "sha1-xkZdvwirzU2zWTF/eaxopkayj/k=",
            "requires": {
                "abbrev": "1"
            }
        },
        "semver": {
            "version": "5.3.0",
            "resolved": "https://registry.npmjs.org/semver/-/semver-5.3.0.tgz",
            "integrity": "sha1-myzl094C0XxgEq0yaqa00M9U+U8="
        },
        "tar": {
            "version": "2.2.1",
            "resolved": "https://registry.npmjs.org/tar/-/tar-2.2.1.tgz",
            "integrity": "sha1-jk0qJWwOIYXGsYrWlK7JaLg8sdE=",
            "requires": {
                "block-stream": "*",
                "fstream": "^1.0.2",
                "inherits": "2"
            }
        }
    }
}

Then I searched for the same problem so I've found this answer. Then I did

npm cache verify
rm -rf node_modules/
npm i -g npm npm-check-updates
ncu -g
ncu -u
npm i

but the version for tar package still remains the same. I also tried updating it directly with npm install tar@4.4.8 but it just put tar in my package.json. I also tried npm update and npm outdated. Everything looks up to date.

Answer 1

node-gyp@3.8.0 depends on "tar@^2.0.0, updating tar to 4.4.8 won't affect node-gyp.

As explained in this answer, vulnerability reports should pass a sanity check and be taken with a grain of salt. If there's nested package that has a vulnerability, all packages that depend on it should be updated, this may be complicated. On the other hand, if vulnerable package is used in a way that cannot cause security problems, it's not a vulnerability.

node-sass-chokidar is development package, it's unlikely that tar nested dependency can cause security problems for the project. Reported 'vulnerability' cannot be easily fixed. Ignore the report. In case there's no issue yet (actually, there is), open it in node-sass and node-sass-chokidar repositories.

Answer 2

Well, its called package-lock.json for a reason, that version will always remain the same.

if you want to update your packages you will need to remove that file, or rename it to package.json then perform your update.