Skip to content
This repository has been archived by the owner on Jul 24, 2024. It is now read-only.

[Security] Vulnerability in fstream #2676

Closed
TimoWestland opened this issue May 24, 2019 · 5 comments
Closed

[Security] Vulnerability in fstream #2676

TimoWestland opened this issue May 24, 2019 · 5 comments

Comments

@TimoWestland
Copy link

Security risk found in fstream package

See: https://www.npmjs.com/advisories/886

  • NPM version: 6.5.0 (yarn v1.15.2)
  • Node version: 10.13.0
  • node-sass version: 4.12.0

Output from yarn audit:

┌───────────────┬─────────────────────────────────────────────────────────────
│ high          │ Arbitrary File Overwrite                                     │
├───────────────┼─────────────────────────────────────────────────────────────
│ Package       │ fstream                                                      │
├───────────────┼─────────────────────────────────────────────────────────────
│ Patched in    │ >=1.0.12                                                     │
├───────────────┼─────────────────────────────────────────────────────────────
│ Dependency of │ node-sass                                                    │
├───────────────┼────────────────────────────────────────────────────────────
│ Path          │ node-sass > node-gyp > fstream                               │
├───────────────┼─────────────────────────────────────────────────────────────
│ More info     │ https://www.npmjs.com/advisories/886                         │
└───────────────┴─────────────────────────────────────────────────────────────
@laboua
Copy link

laboua commented May 27, 2019

Hello I have the same problem , I hope it will been resolved as soon as possible 💃

@nschonni
Copy link
Contributor

node-gyp doesn't pin to a particular version of fsstream https://github.com/nodejs/node-gyp/blob/9a404d6d36dcf9c7be2ae9963019c4d89bbb9155/package.json#L25
Clean your node modules/reinstall to get an unnaffected version.
There is nothing to be be done in node-sass

@protonate
Copy link

A bump of node-gyp to v4.0.0 will remove fstream dependency, see: #2681

@xzyfer
Copy link
Contributor

xzyfer commented May 31, 2019

This PR clearly states why a PR is not required.

@nschonni nschonni mentioned this issue Jun 1, 2019
Closed
@chagar
Copy link

chagar commented Jun 3, 2019
edited
Loading

For anyone else having this problem:

(Long story short: yarn seems to get confused when upgrading fstream and tar. Upgrading them with explicit versions/tags fixes it.)

node-gyp also pins to an old version of tar (^2.0.0), which depends on the insecure version of fstream. However, node-tar released a new version of this ancient branch, to fix the vulnerability (2.2.2). Thus, upgrading tar will fix the problem.

However, when I run yarn upgrade tar, it does not upgrade tar to 2.2.2. Probably, yarn finds it cannot upgrade to the latest version 4.x because of dependencies, and then gives up. But, upgrading tar worked when I ran yarn upgrade tar@^2.0.0. In addition, I had to do the same thing with fstream, because node-gyp does depend on fstream (run yarn upgrade fstream@^1.0.0). This strategy fixed the security vulnerability for me. (However, it does add new lines to your package.json, explicitly requiring tar and fstream. You can safely remove these lines.)

javinegre added a commit to javinegre/negre.co-home that referenced this issue Jun 3, 2019
@javinegre
Yarn: fix tar and fstream package vulnerabilities
b97d747 
More info: sass/node-sass#2676 (comment)
@jhigman jhigman mentioned this issue Jun 8, 2019
Merged
@manusa manusa mentioned this issue Jun 20, 2019
Closed
@yarpo yarpo mentioned this issue Jul 4, 2019
Merged
12 tasks
@nschonni nschonni mentioned this issue Aug 2, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@xzyfer @chagar @nschonni @TimoWestland @protonate @laboua