node.bcrypt.js icon indicating copy to clipboard operation
node.bcrypt.js copied to clipboard
verified publisher icon kelektiv

yarn audit shows high risk warning, because of tar dependency

Open a-tonchev opened this issue 4 years ago • 5 comments

When I run yarn audit it shows the security warning:

Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

bcrypt version 5.0.1

a-tonchev avatar Aug 27 '21 14:08 a-tonchev

The upstream issue is here: https://github.com/mapbox/node-pre-gyp/pull/601

thom-nic avatar Sep 01 '21 21:09 thom-nic

The "better" solution might be to ditch node-pre-gyp which is chronically the source of production dependency CVEs (despite ofc not being used after the initial npm install)

node-gyp-build is a zero-dependency replacement for node-pre-gyp: https://www.npmjs.com/package/node-gyp-build

thom-nic avatar Sep 01 '21 21:09 thom-nic

I'm going to mention #665 here from which I've got a proposed branch that uses prebuildify and node-gyp-build. It can work for you as-is if you're willing to fork and published your own namespaced package on NPM.

thom-nic avatar Sep 13 '21 18:09 thom-nic

Should we make a patch with the new node-pre-gyp version while we work on the PR that will remove it completely ?

ZeRego avatar Nov 23 '21 14:11 ZeRego

Currently under node 14, there are 05 high vulnerabilities:

High Arbitrary File Creation/Overwrite on Windows via
Package tar
Dependency of bcrypt
Path bcrypt > @mapbox/node-pre-gyp > tar
More info https://github.com/advisories/GHSA-5955-9wpr-37jh
High Arbitrary File Creation/Overwrite via insufficient symlink links
Package tar
Dependency of bcrypt
Path bcrypt > @mapbox/node-pre-gyp > tar
More info https://github.com/advisories/GHSA-qq89-hq3f-393p
High Arbitrary File Creation/Overwrite via insufficient symlink
Package tar
Dependency of bcrypt
Path bcrypt > @mapbox/node-pre-gyp > tar
More info https://github.com/advisories/GHSA-9r2w-394v-53qc
High Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
Package tar
Dependency of bcrypt
Path bcrypt > @mapbox/node-pre-gyp > tar
More info https://github.com/advisories/GHSA-3jfq-g458-7qm9
High Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
Package tar
Dependency of bcrypt
Path bcrypt > @mapbox/node-pre-gyp > tar
More info https://github.com/advisories/GHSA-r628-mhmh-qjhw

jrichardsz avatar Dec 05 '21 21:12 jrichardsz

Fixed in latest release

recrsn avatar Oct 06 '22 17:10 recrsn