kraenhansen
commented
1 year ago I can verify this is still an issue.
This is the output from running npm audit in a repository with the latest version of nw-gyp installed:
tar <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
No fix available
node_modules/tar
nw-gyp *
Depends on vulnerable versions of tar
node_modules/nw-gyp
2 high severity vulnerabilities
Some issues need review, and may require choosing
a different dependency.I verified that the latest version of node-gyp doesn't have this and I'd think a rebase is in due time.
See here https://nvd.nist.gov/vuln/detail/CVE-2018-20834