Node-gyp: A vulnerable version of tar is used
stof
All 13 comments
What to expect from here? Are we going to have an update? Response? Anything?
iwaduarte
on 11 Apr 2019
Well, I hope that node-gyp could migrate to tar v4.4.2+ (or could convince the tar maintainers to backport the fix to a 3.x release if that's infeasible).
I don't know the node-gyp codebase (I'm not even using it directly. I'm an indirect user through node-sass) so I'm not confident providing a patch myself. But as the advisory is now public, I wanted to raise awareness that node-gyp is impacted. The discussion in the hackerone report mentioned that some popular app (probably unpkg.com based on some later comments) were impacted and should be patched before making it public. It's too bad that node-gyp was not identified for that as well.
stof
on 11 Apr 2019
It looks like https://github.com/nodejs/node-gyp/pull/1713 is working on it
stof
on 11 Apr 2019
refack
on 11 Apr 2019
@refack Are you going to do a release with this update? Thanks!
laurenfrederick
on 12 Apr 2019
Refs: https://github.com/nodejs/node-gyp/pull/1718
The @nodejs/node-gyp team needs to make an explicit decision to drop support for node<4 for the node-gyp@3 branch. Other wise this will need to wait for node-gyp@4 (which should be out soon. Hopefully in parallel to node@12)...
refack
on 12 Apr 2019
well, waiting for node-gyp@4 would mean that the non-vulnerable version would reach out the ecosystem only after each package migrate as well, which would take a huge amount of time (and they would still have to drop 0.10 and 0.12 to get the patch anyway).
stof
on 12 Apr 2019
Why the current version 3.8.0 (npjs.org) still uses the package of tar in the version 2.0.0 instead of 4.4.2?
pwnpsasin
on 17 Apr 2019
@pwnpsasin see the comment above. Upgrading tar requires dropping support for node<4 (as tar dropped it in 3.x) and that requires a decision from the team.
stof
on 17 Apr 2019
@stof The way to address this in a way that would not require semver-major bumps of everything is npm/node-tar#212 (i.e. backport the security patch/patches to node-tar@2). They are willing to accept a backported patch and cut a release in case if anyone is willing to do the backporting work.
ChALkeR
on 24 Apr 2019
@stof Why don't you create a new major version with updated tar, and when (if ever as I see the comments there) node-tar backport will be created, release a fix for the older version? Lots of people is waiting for this update and our security guys are pinging us every day.
gpkoltermann
on 6 May 2019
@gpkoltermann I'm not creating versions because I'm not a maintainer at all here.
stof
on 6 May 2019
https://github.com/nodejs/node-gyp/releases/tag/v4.0.0 has been released, it doesn't depend on the version of node-tar causing audit warnings.
sam-github
on 6 May 2019
Related issues
zghbyslzf
路
3Comments
halkar
路
4Comments
alexeyvo
路
3Comments
jlchereau
路
3Comments
meldsza
路
3Comments
Most helpful comment
well, waiting for node-gyp@4 would mean that the non-vulnerable version would reach out the ecosystem only after each package migrate as well, which would take a huge amount of time (and they would still have to drop 0.10 and 0.12 to get the patch anyway).