Webpacker: Security vulnerability in package tar
webpacker uses a vulnerable version of tar, see https://www.npmjs.com/advisories/803 for more details on the security issue.
tar >=4.4.2 is patched, but webpacker has yet to update its version of tar
Expected Behavior
Use the patched version of tar
Current Behavior
Uses a vulnerable version of tar
Possible Solution
Update tar
michdsouza
All 8 comments
Webpacker doesn't have a direct dependency on tar. The package that does is node-gyp. This requires a release from that package.
Relevant Info here: https://github.com/nodejs/node-gyp/issues/1717
JoshRobertson
on 18 Apr 2019
I think this issue has been closed on node-gyp. Just awaiting a release from them.
michdsouza
on 24 Apr 2019
They have released v4 which fixes (i think 2) high vulnerabilities
https://github.com/nodejs/node-gyp/releases/tag/v4.0.0
petebytes
on 16 May 2019
How does one actually update node-gyp? I try running yarn upgrade node-gyp and get a bajillion build errors and garbage output, and nothing actually updates. Do I need to add it as a separate dependency in my package.json file?
โฏ yarn upgrade node-gyp
yarn upgrade v1.16.0
warning package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to avoid resolution inconsistencies caused by unsynchronized lock files. To clear this warning, remove package-lock.json.
[1/4] ๐ Resolving packages...
[2/4] ๐ Fetching packages...
[3/4] ๐ Linking dependencies...
warning "@rails/webpacker > [email protected]" has unmet peer dependency "caniuse-lite@^1.0.30000697".
warning " > [email protected]" has unmet peer dependency "jquery@>=1.8.0".
warning " > [email protected]" has unmet peer dependency "webpack@^2.2.0 || ^3.0.0".
warning "webpack-dev-server > [email protected]" has unmet peer dependency "webpack@^1.0.0 || ^2.0.0 || ^3.0.0".
[4/4] ๐จ Rebuilding all packages...
[-/3] โ waiting...
[2/3] โ fsevents
warning Error running install script for optional dependency: "/Users/chris/galley/store/node_modules/fsevents: Command failed.
Exit code: 1
Command: node install
Arguments:
Directory: /Users/chris/galley/store/node_modules/fsevents
Output:
node-pre-gyp info it worked if it ends with ok
node-pre-gyp info using [email protected]
node-pre-gyp info using [email protected] | darwin | x64
node-pre-gyp info check checked for \"/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node\" (not found)
node-pre-gyp http GET https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp http 404 https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Tried to download(404): https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Pre-built binaries not found for [email protected] and [email protected] (node-v64 ABI) (falling back to source compile with node-gyp)
node-pre-gyp http 404 status code downloading tarball https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Tried to download(undefined): https://fsevents-binaries.s3-us-west-2.amazonaws.com/v1.1.2/fse-v1.1.2-node-v64-darwin-x64.tar.gz
node-pre-gyp ERR! Pre-built binaries not found for [email protected] and [email protected] (node-v64 ABI) (falling back to source compile with node-gyp)
node-pre-gyp http Connection closed while downloading tarball file
gyp info it worked if it ends with ok
gyp info using [email protected]
gyp info using [email protected] | darwin | x64
gyp info it worked if it ends with ok
gyp info using [email protected]
gyp info using [email protected] | darwin | x64
gypgyp infoinfo okok
gyp info it worked if it ends with ok
gyp info it worked if it ends with ok
gyp info using [email protected]
gyp info using [email protected] | darwin | x64
gyp info using [email protected]
gyp info using [email protected] | darwin | x64
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp info spawn /usr/bin/python
gyp info spawn args [ '/Users/chris/galley/store/node_modules/node-gyp/gyp/gyp_main.py',
gyp info spawn args 'binding.gyp',
gyp info spawn args '-f',
gyp info spawn args 'make',
gyp info spawn args '-I',
gyp info spawn args '/Users/chris/galley/store/node_modules/fsevents/build/config.gypi',
gyp info spawn args '-I',
gyp info spawn args '/Users/chris/galley/store/node_modules/node-gyp/addon.gypi',
gyp info spawn args '-I',
gyp info spawn args '/Users/chris/.node-gyp/10.16.0/include/node/common.gypi',
gyp info spawn args '-Dlibrary=shared_library',
gyp info spawn args '-Dvisibility=default',
gyp info spawn args '-Dnode_root_dir=/Users/chris/.node-gyp/10.16.0',
gyp info spawn args '-Dnode_gyp_dir=/Users/chris/galley/store/node_modules/node-gyp',
gyp info spawn args '-Dnode_lib_file=/Users/chris/.node-gyp/10.16.0/<(target_arch)/node.lib',
gyp info spawn args '-Dmodule_root_dir=/Users/chris/galley/store/node_modules/fsevents',
gyp info spawn args '-Dnode_engine=v8',
gyp info spawn args '--depth=.',
gyp info spawn args '--no-parallel',
gyp info spawn args '--generator-output',
gyp info spawn args 'build',
gyp info spawn args '-Goutput_dir=.' ]
gyp info spawn /usr/bin/python
gyp info spawn args [ '/Users/chris/galley/store/node_modules/node-gyp/gyp/gyp_main.py',
gyp info spawn args 'binding.gyp',
gyp info spawn args '-f',
gyp info spawn args 'make',
gyp info spawn args '-I',
gyp info spawn args '/Users/chris/galley/store/node_modules/fsevents/build/config.gypi',
gyp info spawn args '-I',
gyp info spawn args '/Users/chris/galley/store/node_modules/node-gyp/addon.gypi',
gyp info spawn args '-I',
gyp info spawn args '/Users/chris/.node-gyp/10.16.0/include/node/common.gypi',
gyp info spawn args '-Dlibrary=shared_library',
gyp info spawn args '-Dvisibility=default',
gyp info spawn args '-Dnode_root_dir=/Users/chris/.node-gyp/10.16.0',
gyp info spawn args '-Dnode_gyp_dir=/Users/chris/galley/store/node_modules/node-gyp',
gyp info spawn args '-Dnode_lib_file=/Users/chris/.node-gyp/10.16.0/<(target_arch)/node.lib',
gyp info spawn args '-Dmodule_root_dir=/Users/chris/galley/store/node_modules/fsevents',
gyp info spawn args '-Dnode_engine=v8',
gyp info spawn args '--depth=.',
gyp info spawn args '--no-parallel',
gyp info spawn args '--generator-output',
gyp info spawn args 'build',
gyp info spawn args '-Goutput_dir=.' ]
gyp info ok
gyp info ok
gypgyp info it worked if it ends with ok
info it worked if it ends with ok
gyp info using [email protected]
gyp info using [email protected] | darwin | x64
gyp info using [email protected]
gyp info using [email protected] | darwin | x64
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp WARN download NVM_NODEJS_ORG_MIRROR is deprecated and will be removed in node-gyp v4, please use NODEJS_ORG_MIRROR
gyp info spawn make
gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build' ]
gyp info spawn make
gyp info spawn args [ 'BUILDTYPE=Release', '-C', 'build' ]
SOLINK_MODULE(target) Release/.node
SOLINK_MODULE(target) Release/.node
CXX(target) Release/obj.target/fse/fsevents.o
CXX(target) Release/obj.target/fse/fsevents.o
In file included from ../fsevents.cc:6:
In file included from ../node_modules/nan/nan.h:192:
../node_modules/nan/nan_maybe_43_inl.h:112:15: error: no member named 'ForceSet' in 'v8::Object'
return obj->ForceSet(isolate->GetCurrentContext(), key, value, attribs);
~~~ ^
In file included from ../fsevents.cc:6:
In file included from ../node_modules/nan/nan.h:192:
../node_modules/nan/nan_maybe_43_inl.h:112:15: error: no member named 'ForceSet' in 'v8::Object'
return obj->ForceSet(isolate->GetCurrentContext(), key, value, attribs);
~~~ ^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:834:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
return node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
__attribute__((deprecated(message))) declarator
^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:849:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
return node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:169:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
__attribute__((deprecated(message))) declarator
^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:834:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
return node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
In file included from ../fsevents.cc:6/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20::
../node_modules/nan/nan.h :864note:: 18expanded from macro 'NODE_DEPRECATED': warning:
'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
__attribute__((deprecated(message))) declarator
^
return node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:162:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
__attribute__((deprecated(message))) declarator
^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:849:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
return node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:169:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
__attribute__((deprecated(message))) declarator
^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:864:18: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
return node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:162:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
__attribute__((deprecated(message))) declarator
^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:1473:31: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
return scope.Escape(node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
__attribute__((deprecated(message))) declarator
^
In file included from ../fsevents.cc:6:
../node_modules/nan/nan.h:1473:31: warning: 'MakeCallback' is deprecated: Use MakeCallback(..., async_context) [-Wdeprecated-declarations]
return scope.Escape(node::MakeCallback(
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:176:1: note: 'MakeCallback' has been explicitly marked deprecated here
NODE_DEPRECATED(\"Use MakeCallback(..., async_context)\",
^
/Users/chris/.node-gyp/10.16.0/include/node/node.h:91:20: note: expanded from macro 'NODE_DEPRECATED'
__attribute__((deprecated(message))) declarator
^
4 warnings and 1 error generated.
4 warnings and 1 error generated.
make: *** [Release/obj.target/fse/fsevents.o] Error 1
make: *** [Release/obj.target/fse/fsevents.o] Error 1
gypgyp ERR!ERR! build errorbuild error
gyp ERR! stack Error: `make` failed with exit code: 2
gypgyp ERR! ERR!stack at ChildProcess.onExit (/Users/chris/galley/store/node_modules/node-gyp/lib/build.js:262:23)
gyp stackERR! Error: `make` failed with exit code: 2
stackgyp at ChildProcess.emit (events.js:198:13)
gypERR! ERR!stack at ChildProcess.onExit (/Users/chris/galley/store/node_modules/node-gyp/lib/build.js:262:23)
stackgyp at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)
ERR! stack at ChildProcess.emit (events.js:198:13)
gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)
gyp ERR!gyp ERR!System Darwin 18.6.0
System Darwin 18.6.0
gypgyp ERR! commandERR! command \"/Users/chris/.nvm/versions/node/v10.16.0/bin/node\" \"/Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js\" \"build\" \"--fallback-to-build\" \"--module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node\" \"--module_name=fse\" \"--module_path=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64\"
\"/Users/chris/.nvm/versions/node/v10.16.0/bin/node\" \"/Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js\" \"build\" \"--fallback-to-build\" \"--module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node\" \"--module_name=fse\" \"--module_path=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64\"
gyp ERR! gypcwd /Users/chris/galley/store/node_modules/fsevents
ERR! gypcwd /Users/chris/galley/store/node_modules/fsevents
ERR! gypnode -v v10.16.0
ERR! gypnode -v v10.16.0
ERR! gypnode-gyp -v v3.8.0
ERR!gyp node-gyp -vERR! v3.8.0
not okgyp
ERR! not ok
node-pre-gyp ERR! build error
node-pre-gyp ERR! stack Error: Failed to execute '/Users/chris/.nvm/versions/node/v10.16.0/bin/node /Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js build --fallback-to-build --module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node --module_name=fse --module_path=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64' (1)
node-pre-gyp ERR! stack at ChildProcess.<anonymous> (/Users/chris/galley/store/node_modules/node-pre-gyp/lib/util/compile.js:83:29)
node-pre-gyp ERR! stack at ChildProcess.emit (events.js:198:13)
node-pre-gyp ERR! stack at maybeClose (internal/child_process.js:982:16)
node-pre-gyp ERR! stack at Process.ChildProcess._handle.onexit (internal/child_process.js:259:5)
node-pre-gyp ERR! System Darwin 18.6.0
node-pre-gyp ERR! command \"/Users/chris/.nvm/versions/node/v10.16.0/bin/node\" \"/Users/chris/galley/store/node_modules/fsevents/node_modules/.bin/node-pre-gyp\" \"install\" \"--fallback-to-build\"
node-pre-gyp ERR! cwd /Users/chris/galley/store/node_modules/fsevents
node-pre-gyp ERR! node -v v10.16.0
node-pre-gyp ERR! node-pre-gyp -v v0.6.38
node-pre-gyp ERR! not ok
Failed to execute '/Users/chris/.nvm/versions/node/v10.16.0/bin/node /Users/chris/galley/store/node_modules/node-gyp/bin/node-gyp.js build --fallback-to-build --module=/Users/chris/galley/store/node_modules/fsevents/lib/binding/Release/node-v64-darwin-x64/fse.node --module_name=fse success Saved lockfile.
success Saved 0 new dependencies.
โจ Done in 7.84s.
chrismanderson
on 29 May 2019
@chrismanderson, my understanding is node-gyp is the bridge between the JS & C++ parts of nodejs. You wouldn't need to install it for a webpacker project. I would only update it by updating your node version using nvm.
But, if you really want to do this, here is a guide on updating the bundled node gyp: https://github.com/nodejs/node-gyp/wiki/Updating-npm's-bundled-node-gyp. If you are on Linux/Mac OS X, the incantations are: npm explore npm -g -- npm install node-gyp@latest
Fair warning: updating library internals without waiting for a release can lead to breakage, good luck.
Npm has fixed: https://github.com/npm/cli/blob/latest/package-lock.json#L6239
Webpack has fixed: https://github.com/webpack/webpack/blob/master/yarn.lock#L6568
Yarn is on the previous version: https://github.com/yarnpkg/yarn/blob/master/yarn.lock#L7161
I am going to close this since there is nothing webpacker can do except wait for yarn to update, feel free to re-open if the situation changes. Plus, you're not going to be extracting tarballs with @rails/webpacker (at least, I hope not). Thanks for reporting!
jakeNiemiec
on 29 May 2019
"I" don't need to install it - but looks like webpacker does have a dependency. Just set up a new Rails 6rc1 app with Webpacker 4 - node-gyp gets pulled in by node-sass which is pulled in by @rails/webpacker. So following the instructions you provided - is that updating the node-gyp that is part of node itself? Or the depedency pulled in by webpacker -> node-sass.
(Freely admit that my knowledge of node packages is pretty limited, and boils down to doing what the webpacker readme tells me to do ๐ , but just never like seeing Github security warnings go undeeded.)
chrismanderson
on 29 May 2019
Ok, rewind. @rails/webpacker depends on ๐ node-sass & yarn which depend on ๐ node-gyp which depends on ๐ node-tar. node-tar was the vulnerable package.
You can try this for yourself with yarn list --pattern tar (or bin/yarn list --pattern tar). It will give you something like:
node-gyp gets pulled in by node-sass which is pulled in by @rails/webpacker
node-sass relies on pre-compiled C++ binaries from libsass https://github.com/sass/libsass. In this case, I doubt that node-gyp uses node-tar for this. Read more about the Google gyp project: https://gyp.gsrc.io/
is that updating the node-gyp that is part of node itself? Or the depedency pulled in by webpacker -> node-sass.
It can be both. Think of your package.json as a carpenters workshop full of interdependent tools (like how you would need a hammer if you want to use a chissel). 2 carpenters tools (webpacker & node-sass) require access to a multi-purpose hammer (node-gyp) that has any kind of head (node-tar).
This is why I linked the lock files, it specifies what version each is using. In our case, yarn is the problem because it is using an older version. I could not find any issues concerned with tar.
You very well could ninja-swap the dependencies to be updated, but I would advise against it. The fix was released 14 days ago, I would wait at least 2 more weeks.
jakeNiemiec
on 29 May 2019
That was a super helpful explanation - thank you! Will definitely avoid ninja swapping and just wait.
chrismanderson
on 29 May 2019
Related issues
amandapouget
ยท
3Comments
towry
ยท
3Comments
suhomlineugene
ยท
3Comments
naps62
ยท
3Comments
Eearslya
ยท
3Comments
Most helpful comment
Webpacker doesn't have a direct dependency on tar. The package that does is
node-gyp. This requires a release from that package.Relevant Info here: https://github.com/nodejs/node-gyp/issues/1717