Web Development
GitHub Discovered 7 Vulnerabilities in NodeJS — What Does This Mean For You?
A walkthrough of the vulnerabilities and the recommendations for users
A year ago, GitHub, that already belongs to Microsoft since 2018, took over the JavaScript package manager npm
. On September 8, 2021, the company has acknowledged seven vulnerabilities in the tar and
@npmcli/arbor
ist Node.js packages.
Today, we’ll explore what these vulnerabilities are, what they mean, and what you should do to avoid being affected and protect your projects. But before we start, let’s tackle what tar and
@npmcli/arbor
ist packages exactly are.
What Is Tar?
tar
is an API that is created to simulate the behavior of tar(1)
on Unix systems.
A “tar file” or “tarball” is an archive of file system entries, like directories, files, and links. The name comes from “tape archive”. If you run man tar
on a Unix command line, you'll get more details like the following ones:
tar
has 5 main top-level commands:
c
to create an archive.r
to replace entries within an archive.u
to update entries within an archive.t
to list out the contents of an archive.x
to extract an archive to disk.
There are other flags and options that change how these top-level commands work.
Developers download tar
tens of millions of times a week since it’s used to extract and install npm packages and serves as the core dependency of thousands of other projects beyond the npm CLI.
What Is Arborist?
@npmcli/arborist
is a core dependency of the npm CLI and is used to manage node_modules
trees.
The node_modules
folder is in fact a dependency graph rather than a dependency tree. Because the relationships between the packages you use in your project are, in reality, a graph that has cycles and overlapping connections.
The package manager considers the dependency constraints declarations, finds a graph that solves the constraints, and then reifies that graph onto a disk. The modules on disk look like a discrete tree of files that the program will load at runtime and create a graph from them.
The role of Arborist is to build the tree that satisfies the dependency graph.
“The tree building approach builds upon the “maximally naive deduplication” approach developed by Rebecca Turner when npm v3 introduced up-front deduplication, but adds two new features.
In a nutshell, maximally naive deduplication starts from a given node in the tree (typically the root node), and creates a queue of dependencies that are currently missing or invalid. Then, for each, it starts from the node’s
node_modules
folder, walks up the tree towards the root to find the shallowest placement location that does not cause any conflicts. The newly placed node is added to the queue so its dependencies can be placed, and the process continues.” — Arborist Deep Dive
What Are The Vulnerabilities and What They Mean?
GitHub has acknowledged 7 Common Vulnerabilities and Exposures (CVEs) related to tar
and @npmcli/arborist
, and 4 of them are for the npm CLI:
The npm CLI should ensure that the contents of a package only end up in the corresponding folder within the node_modules
directory hierarchy when it’s installed. However, some of the security vulnerabilities could exceed this limit.
If tar
is used to extract untrusted tar files and npm CLI is used to install untrusted npm packages under certain file system conditions, this may lead to overwritten files and unexpectedly/arbitrary code execution, even if you are using the --ignore-scripts
flag to prevent the processing of package lifecycle scripts.
Recommendations for Users
On July 29, 2021, GitHub started blocking publishing npm packages with symbolic links, hard links, or absolute paths.
It has also introduced fixes for the vulnerabilities and sent 16.7 million Dependabot alerts and 1.8 million notifications to possibly affected users.
- GitHub recommends an upgrade of the npm CLI to version 6.14.15, 7.21.0, or higher.
- If you use a
tar
dependency, you need to update to version 4.4.19, 5.0.11, 6.1.10, or higher. - Because of the deprecation of the v3 branch of
tar
, you should use v6. - The npm team has also responded with a tweet asking npm users to update Node.js to version 12, 14, or 16 or npm to version 6 or 7, and update any dependency you may have on
tar
.