Create-react-app: High severity vulnerability found in fsevents >node-pre-gyp >tar
Using Synk, I found security vulnerability from package node-pre-gyp in the package tar. This was discovered on Synk April 4 2019.
Please see Synk screenshots
You can see details about this vulnerability here
https://snyk.io/vuln/SNYK-JS-TAR-174125
Because, I imagine many teams will not be able to use React Scripts. What is the best way to go about this? I filed an issue with the node-pre-gyp team but it seems like to fix this we will need fsevents to be updated as well. Any ideas?
kaiwen-zhang-ck
All 23 comments
npm i node-pre-gyp
amdp
on 11 Apr 2019
There isn't really anything we can do to fix this, other than updating these dependencies when new versions are released.
iansu
on 11 Apr 2019
If you just install node-gyp, you'll have that issue. Installing node-pre-gyp too removes the problem.
The tar dependency is a problem of node-pre-gyp, not of node-gyp.
amdp
on 11 Apr 2019
Apparently there is a version 2.0 of fsevents that does not have a dependency to node-pre-gyp. Maybe bumping the version of fsevents could fix this. I'm not sure if that would cause a breaking change to react-scripts.
cruiserkernan
on 12 Apr 2019
If you just install node-gyp, you'll have that issue. Installing node-pre-gyp too removes the problem.
The tar dependency is a problem of node-pre-gyp, not of node-gyp.
Sadly this doesn't work for me - still get the audit errors
leepowelldev
on 12 Apr 2019
Then another option I read about is to play with package-lock.json (set all tar to updated version), and use npm ci instead of i
source: https://stackoverflow.com/questions/15806152/how-do-i-override-nested-npm-dependency-versions
hope this helps more than my previous
amdp
on 12 Apr 2019
There isn't really anything we can do to fix this, other than updating these dependencies when new versions are released.
Given that there is a high security risk vulnerability, would it be possible to push out a minor/patch update for react-scripts that does just that?
levimeahan
on 12 Apr 2019
@kaiwen-zhang-ck managed to get a fix https://github.com/mapbox/node-pre-gyp/issues/446
I've just updated the tar version in the package-lock.json, saved and ran npm audit again, and yeah it sorts it
verde79
on 13 Apr 2019
Is it a good practice to change package-lock.json directly? I thought we should not
vaibhav-kona
on 15 Apr 2019
@adred8 I'm not sure if it's good practice, seen plenty of people saying to do it, but I don't know for sure.
At any rate, I've noticed that after updating package-lock and doing an npm install, the package lock is overwritten to the vulnerable version again. My current thinking on this is that as npm audit only looks at package.json and package-lock and not node_modules, updating package-lock to a secure version of tar(>4.4.2) doesn't eliminate the insecure version in node_modules.
fsevents is an optional dependency, requiring a mac. As I'm on windows, can anyone with a mac confirm fsevents is in node_modules still?
Also unless I'm wrong because the dependency is only installed on mac, windows users could ignore the warning?
verde79
on 15 Apr 2019
In the article I cited they say that if you use npm ci (clean install) it shouldn't overwrite the changes you did in the .lock.json
Give it a try. And no, I don't think it is a nice practice, you are just doing it as a quick fix.
amdp
on 15 Apr 2019
Same issue here on ubuntu.. I would be happy of this small fix in the react-script since we are now dealing with high vulnerabilities...
erwanriou
on 15 Apr 2019
@amdp I shall give it a try. I wasn't doing it as a quick fix, I'm pretty new to dealing with dependency trees and trying to get my head around doing things well and understanding why
verde79
on 16 Apr 2019
Keep in mind I am a noob as well so I am -maybe- just good at explaining what other people were showing as a solution
amdp
on 16 Apr 2019
kaiwen had posted the answer in another thread, which I shared above. I was trying to point people with the same issue to his solution, and confirm that it worked for me (even though it later didn't seem to be. Hopefully get time tomorrow to look at it again!
verde79
on 16 Apr 2019
Updating all "tar" locations in package-lock.json to use "tar": "^4.4.8" manually solved my issue.
HarisSpahija
on 18 Apr 2019
@HarisSpahija But how did you do that if node-gyp requires ^2.2?
glrodasz
on 19 Apr 2019
Updating all
"tar"locations in package-lock.json to use"tar": "^4.4.8"manually solved my issue.
That solves the issue, but its not a good practice to directly update dependencies in package-lock.json.
sridevs
on 19 Apr 2019
There isn't really anything we can do to fix this, other than updating these dependencies when new versions are released.
Exactly, you need to update the versions, especially all the tar version under react-scripts package to 4.4.2 and above to remediate Arbitrary File Overwrite vulnerability.
sridevs
on 19 Apr 2019
Yes, like I said, we will update these packages. A new version of fsevents has been released and there is already a PR updating our dependencies.
iansu
on 19 Apr 2019
we there yet? ;P Just came across it now.
ereztdev
on 24 Apr 2019
This should be fixed by our 3.0 release. Can you confirm?
ianschmitz
on 24 Apr 2019
@ianschmitz yes, 3.0 is good.
svenlaater
on 24 Apr 2019
Related issues
rdamian3
路
3Comments
fson
路
3Comments
onelson
路
3Comments
Aranir
路
3Comments
DaveLindberg
路
3Comments
Most helpful comment
Yes, like I said, we will update these packages. A new version of
fseventshas been released and there is already a PR updating our dependencies.