Security Issue in cloudron CLI's dependency
-
@girish @nebulon While installing the cloudron cli, I got this message. Is this something that we should worry about? Please confirm and fix if required. Thanks!
nj@mac% npm install cloudron up to date, audited 114 packages in 583ms 15 packages are looking for funding run `npm fund` for details 2 high severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force Run `npm audit` for details. nj@mac% npm audit # npm audit report tar-fs <1.16.2 Severity: high Improper Input Validation in tar-fs - https://github.com/advisories/GHSA-x2mc-8fgj-3wmr fix available via `npm audit fix --force` Will install cloudron@0.9.4, which is a breaking change node_modules/tar-fs cloudron >=0.9.5 Depends on vulnerable versions of tar-fs node_modules/cloudron 2 high severity vulnerabilities To address all issues (including breaking changes), run: npm audit fix --force -
Hardened node developer here : long story short, nothing to worry about.
NPM security warnings are completely broken, they have a near 100% false positive rate (technically, the "vulnerable" dependency is here, but the flaw is, in literally all instances I have seen, not exploitable). An interesting read about this if you want : https://overreacted.io/npm-audit-broken-by-design/
-
G girish marked this topic as a question on
-
G girish has marked this topic as solved on
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login