thom-nic
commented
3 years ago The upstream issue is here: https://github.com/mapbox/node-pre-gyp/pull/601
Closed a-tonchev closed 2 years ago
thom-nic
commented
3 years ago The upstream issue is here: https://github.com/mapbox/node-pre-gyp/pull/601
thom-nic
commented
3 years ago The "better" solution might be to ditch node-pre-gyp which is chronically the source of production dependency CVEs (despite ofc not being used after the initial npm install)
node-gyp-build is a zero-dependency replacement for node-pre-gyp: https://www.npmjs.com/package/node-gyp-build
thom-nic
commented
3 years ago I'm going to mention #665 here from which I've got a proposed branch that uses prebuildify and node-gyp-build. It can work for you as-is if you're willing to fork and published your own namespaced package on NPM.
ZeRego
commented
2 years ago Should we make a patch with the new node-pre-gyp version while we work on the PR that will remove it completely ?
jrichardsz
commented
2 years ago Currently under node 14, there are 05 high vulnerabilities:
| High | Arbitrary File Creation/Overwrite on Windows via |
|---|---|
| Package | tar |
| Dependency of | bcrypt |
| Path | bcrypt > @mapbox/node-pre-gyp > tar |
| More info | https://github.com/advisories/GHSA-5955-9wpr-37jh |
| High | Arbitrary File Creation/Overwrite via insufficient symlink links |
|---|---|
| Package | tar |
| Dependency of | bcrypt |
| Path | bcrypt > @mapbox/node-pre-gyp > tar |
| More info | https://github.com/advisories/GHSA-qq89-hq3f-393p |
| High | Arbitrary File Creation/Overwrite via insufficient symlink |
|---|---|
| Package | tar |
| Dependency of | bcrypt |
| Path | bcrypt > @mapbox/node-pre-gyp > tar |
| More info | https://github.com/advisories/GHSA-9r2w-394v-53qc |
| High | Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization |
|---|---|
| Package | tar |
| Dependency of | bcrypt |
| Path | bcrypt > @mapbox/node-pre-gyp > tar |
| More info | https://github.com/advisories/GHSA-3jfq-g458-7qm9 |
| High | Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning |
|---|---|
| Package | tar |
| Dependency of | bcrypt |
| Path | bcrypt > @mapbox/node-pre-gyp > tar |
| More info | https://github.com/advisories/GHSA-r628-mhmh-qjhw |
recrsn
commented
2 years ago Fixed in latest release
When I run
yarn auditit shows the security warning:Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoningbcrypt version 5.0.1