Security Issue in cloudron CLI's dependency
-
@girish @nebulon While installing the cloudron cli, I got this message. Is this something that we should worry about? Please confirm and fix if required. Thanks!
nj@mac% npm install cloudron up to date, audited 114 packages in 583ms 15 packages are looking for funding run `npm fund` for details 2 high severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. nj@mac% npm audit # npm audit report tar-fs <1.16.2 Severity: high Improper Input Validation in tar-fs - https://github.com/advisories/GHSA-x2mc-8fgj-3wmr fix available via `npm audit fix --force` Will install cloudron@0.9.4, which is a breaking change node_modules/tar-fs cloudron >=0.9.5 Depends on vulnerable versions of tar-fs node_modules/cloudron 2 high severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force -
Hardened node developer here : long story short, nothing to worry about.
NPM security warnings are completely broken, they have a near 100% false positive rate (technically, the "vulnerable" dependency is here, but the flaw is, in literally all instances I have seen, not exploitable). An interesting read about this if you want : https://overreacted.io/npm-audit-broken-by-design/
-
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
