Npm audit, shows vulnerabilities despite vulnerability-free packages being installed

steeams · May 26, 2019, 3:29pm

Hi. I initialized new React project using npm and create-react-app.
The npm audit shows me 12 vulnerabilities about fstream and tar packages:

                                                                               
  High            Arbitrary File Overwrite                                      
                                                                                
  Package         fstream                                                       
                                                                                
  Patched in      >=1.0.12                                                      
                                                                                
  Dependency of   react-scripts                                                 
                                                                                
  Path            react-scripts > webpack > chrome-trace-event > npm >          
                  npm-lifecycle > node-gyp > tar > fstream                      
                                                                                
  More info       https://nodesecurity.io/advisories/886                        
                                                                                
                                                                                
  High            Arbitrary File Overwrite                                      
                                                                                
  Package         tar                                                           
                                                                                
  Patched in      >=2.2.2 <3.0.0 || >=4.4.2                                     
                                                                                
  Dependency of   react-scripts                                                 
                                                                                
  Path            react-scripts > webpack > chrome-trace-event > npm > libcipm  
                  > npm-lifecycle > node-gyp > tar                              
                                                                                
  More info       https://nodesecurity.io/advisories/803

Wich is strange because when i manually check verison of these packeges i get:

PS D:\webDev\fcc-projects\markdown-preview> npm info tar version
4.4.8
PS D:\webDev\fcc-projects\markdown-preview> npm info fstream  version
1.0.12
PS D:\webDev\fcc-projects\markdown-preview>

Which are the suggested by npm versions. Also a project that i started about a week ago using the same commands on the same enviroment doesn’t have these vulnerabilities?
I could just ignore them, since the versions of packeges i’m using are OK, but why audit shows other-ways ?

kevcomedia · May 26, 2019, 4:08pm

I don’t know the inner workings of npm, but it seems you need to manually edit the package-lock.json file. See https://stackoverflow.com/q/55638180

I tried it (also had the 12 vulnerabilities) and it reported 0 vulnerabilites. Though it sucks if you need to keep doing for every project

steeams · May 26, 2019, 6:40pm

Thanks, it worked for 8 of 12 vulnerabilities for me. I tried doing the same with fstream dependency, but somhow i still get a warning.