Skip to content
This repository has been archived by the owner on Feb 21, 2024. It is now read-only.

high severity vulnerability in @colony/purser-metamask for npm #223

Open
olegabr opened this issue Apr 21, 2019 · 3 comments
Open

high severity vulnerability in @colony/purser-metamask for npm #223

olegabr opened this issue Apr 21, 2019 · 3 comments
Labels
bug

Comments

@olegabr
Copy link

olegabr commented Apr 21, 2019 

npm i @colony/purser-metamask

found 1 high severity vulnerability
  run `npm audit fix` to fix them, or `npm audit` for details

$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ @colony/purser-metamask                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ @colony/purser-metamask > web3 > web3-bzz > swarm-js >       │
│               │ tar.gz > tar                                                 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 111959 scanned packages
  1 vulnerability requires manual review. See the full report for details.
@rdig
Copy link
Member

rdig commented Apr 21, 2019

Thanks for reporting this.

So, from what I gather, the tar package is a sub-sub-dependency of web3.

We had to pin web3 in place to version 1.0.0-beta.36, due to subsequent versions breaking chrome's security layer. See #202 for more details.

I'll try to update web3, maybe a more recent version fixed the chrome security thing (and also updated tar), but if that's not going to work, this is going to be tricky fix.

@rdig rdig added the bug label Apr 21, 2019
@olegabr
Copy link
Author

olegabr commented Apr 22, 2019

Is it safe to use web3 beta?

@rdig
Copy link
Member

rdig commented Apr 23, 2019

As safe as a beta release can be 🙂

But given that all the latest web3 releases are all in beta there isn't any alternative, if you want to use web3 that is

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rdig @olegabr