Hi. I initialized new React project using npm and create-react-app.
The npm audit
shows me 12 vulnerabilities about fstream
and tar
packages:
High Arbitrary File Overwrite
Package fstream
Patched in >=1.0.12
Dependency of react-scripts
Path react-scripts > webpack > chrome-trace-event > npm >
npm-lifecycle > node-gyp > tar > fstream
More info https://nodesecurity.io/advisories/886
High Arbitrary File Overwrite
Package tar
Patched in >=2.2.2 <3.0.0 || >=4.4.2
Dependency of react-scripts
Path react-scripts > webpack > chrome-trace-event > npm > libcipm
> npm-lifecycle > node-gyp > tar
More info https://nodesecurity.io/advisories/803
Wich is strange because when i manually check verison of these packeges i get:
PS D:\webDev\fcc-projects\markdown-preview> npm info tar version
4.4.8
PS D:\webDev\fcc-projects\markdown-preview> npm info fstream version
1.0.12
PS D:\webDev\fcc-projects\markdown-preview>
Which are the suggested by npm
versions. Also a project that i started about a week ago using the same commands on the same enviroment doesn’t have these vulnerabilities?
I could just ignore them, since the versions of packeges i’m using are OK, but why audit shows other-ways ?