R
R
resibe2021-11-14 22:52:16
Burglary protection
resibe, 2021-11-14 22:52:16

Yarn audit fix - how to secure a site?

Hello, I created an empty vue3 typescript project and ran yarn audit fix
As a result, even after the fix, I still have 49 vulnerabilities
In one of the bottom, for example

high          │ Arbitrary File Creation/Overwrite on Windows via             │
│               │ insufficient relative path sanitization                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=6.1.9                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ geckodriver                                                  │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ geckodriver > tar                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1002501

It is indicated that the vulnerability is resolved in version >=6.1.9, while mine is in yarn lock
[email protected]^1.20.0:
  version "1.22.3"
  resolved "https://registry.yarnpkg.com/geckodriver/-/geckodriver-1.22.3.tgz#324b3102944e8928e67bde61ca129afac417dece"
  integrity sha512-HJvImEC5m/2J7aIn+AdiZml1yTOSFZAb8h8lmZBSUgGSCPdNTd0/6YxBVBsvzpaTuaDQHbMUr+8ikaFKF+Sj/A==
  dependencies:
    adm-zip "0.5.3"
    bluebird "3.7.2"
    got "5.6.0"
    https-proxy-agent "5.0.0"
    tar "6.0.2"

actually why yarn audit fix didn't change tar version for geckodriver

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Aetae, 2021-11-14
@resibe

Didn't change the version because tar "6.0.2", not tar "^6.0.2".
And in general - hammer in the bolt.
1. Most of the vulnerabilities are in the libs that you use locally for assembly, and you will break yourself.
2. Vue is executed on the client and all these vulnerabilities in any case do not matter, even if they end up in production code.
You should take a closer look at this only when you start writing a server on node.js.
PS If you really want to, you can use yarn resolutions and hard patch dependency versions. But then no one guarantees correct work for you.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question