high severity vulnerabilities due to node-gyp@3.8

What I Wanted to Do

I am using hippie in one of my repos. Installing it yields a vulnerability warning in the console.

My goal is to get rid of those vulnerability warnings for gaining trust rgd trust #security ¯\_(ツ)_/¯

I learned that the dependency of node-gyp is causing this issue. You might want to upgrade to node-gyp@latest

What Happened Instead

I got the vulnerability warning :confused:

Reproduction Steps

  1. set up a repo with hippie@0.5.2 as a dependency
  2. run npm install
  3. see the vulnerability report

Then, if you do npm audit fix and check the diff afterwards, you’ll see that node-gyp@3.8 is causing ta to be included at version 2.x which is causing trouble. If you update node-gyp@latest this should be mitigated.

example;

└─┬ hippie@0.5.2
  └─┬ npm@6.9.0
    └─┬ node-gyp@3.8.0
      └─┬ tar@2.2.2
        └── block-stream@0.0.9 

Details

Platform Info

$ npm -v
6.9.0

$ node -p process.platform
linux

There’s even a fix in tar: https://github.com/npm/node-tar/issues/212

But, there’s a feature in npm called “bundledDependencies” which the npm package uses which effectively prevents dependencies npm uses from being updated. -_-

1 Like

Please make npm audit happy with npm / tar / node-gyp again. TIA.