purser icon indicating copy to clipboard operation
purser copied to clipboard

Published 20 hours ago verified publisher icon JoinColony

high severity vulnerability in @colony/purser-metamask for npm

Open olegabr opened this issue 5 years ago • 3 comments 

npm i @colony/purser-metamask

found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @colony/purser-metamask                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @colony/purser-metamask > web3 > web3-bzz > swarm-js >       │
│               │ tar.gz > tar                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 111959 scanned packages
  1 vulnerability requires manual review. See the full report for details.

olegabr avatar Apr 21 '19 09:04 olegabr

Thanks for reporting this.

So, from what I gather, the tar package is a sub-sub-dependency of web3.

We had to pin web3 in place to version 1.0.0-beta.36, due to subsequent versions breaking chrome's security layer. See #202 for more details.

I'll try to update web3, maybe a more recent version fixed the chrome security thing (and also updated tar), but if that's not going to work, this is going to be tricky fix.

rdig avatar Apr 21 '19 17:04 rdig

Is it safe to use web3 beta?

olegabr avatar Apr 22 '19 20:04 olegabr

As safe as a beta release can be :slightly_smiling_face:

But given that all the latest web3 releases are all in beta there isn't any alternative, if you want to use web3 that is

rdig avatar Apr 23 '19 06:04 rdig