npm audit and ways to resolve it other than npm audit fix
I'm creating an electron app, and these are the dependencies installed:
"devDependencies": {
"@electron-forge/cli": "^7.11.1",
"@electron-forge/maker-deb": "^7.11.1",
"@electron-forge/maker-rpm": "^7.11.1",
"@electron-forge/maker-squirrel": "^7.11.1",
"@electron-forge/maker-zip": "^7.11.1",
"@electron-forge/plugin-auto-unpack-natives": "^7.11.1",
"@electron-forge/plugin-fuses": "^7.11.1",
"@electron/fuses": "^1.8.0",
"electron": "^40.1.0",
"prettier": "^3.8.1"
},
"dependencies": {
"electron-squirrel-startup": "^1.0.1"
}
When I did npm install I get these high risk vulnerabilities issues listed:
# npm audit report
tar <=7.5.6
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
No fix available
node_modules/tar
@electron/node-gyp *
Depends on vulnerable versions of make-fetch-happen
Depends on vulnerable versions of tar
node_modules/@electron/node-gyp
@electron/rebuild 3.2.10 - 4.0.2
Depends on vulnerable versions of @electron/node-gyp
Depends on vulnerable versions of tar
node_modules/@electron/rebuild
@electron-forge/core *
Depends on vulnerable versions of @electron-forge/core-utils
Depends on vulnerable versions of @electron-forge/maker-base
Depends on vulnerable versions of @electron-forge/plugin-base
Depends on vulnerable versions of @electron-forge/publisher-base
Depends on vulnerable versions of @electron-forge/shared-types
Depends on vulnerable versions of @electron-forge/template-base
Depends on vulnerable versions of @electron-forge/template-vite
Depends on vulnerable versions of @electron-forge/template-vite-typescript
Depends on vulnerable versions of @electron-forge/template-webpack
Depends on vulnerable versions of @electron-forge/template-webpack-typescript
Depends on vulnerable versions of @electron/rebuild
node_modules/@electron-forge/core
@electron-forge/core-utils *
Depends on vulnerable versions of @electron-forge/shared-types
Depends on vulnerable versions of @electron/rebuild
node_modules/@electron-forge/core-utils
@electron-forge/cli *
Depends on vulnerable versions of @electron-forge/core
Depends on vulnerable versions of @electron-forge/core-utils
Depends on vulnerable versions of @electron-forge/shared-types
Depends on vulnerable versions of @inquirer/prompts
node_modules/@electron-forge/cli
@electron-forge/template-base *
Depends on vulnerable versions of @electron-forge/core-utils
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/template-base
@electron-forge/shared-types *
Depends on vulnerable versions of @electron/rebuild
node_modules/@electron-forge/shared-types
@electron-forge/maker-base *
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/maker-base
@electron-forge/maker-deb *
Depends on vulnerable versions of @electron-forge/maker-base
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/maker-deb
@electron-forge/maker-rpm *
Depends on vulnerable versions of @electron-forge/maker-base
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/maker-rpm
@electron-forge/maker-squirrel *
Depends on vulnerable versions of @electron-forge/maker-base
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/maker-squirrel
@electron-forge/maker-zip *
Depends on vulnerable versions of @electron-forge/maker-base
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/maker-zip
@electron-forge/plugin-auto-unpack-natives *
Depends on vulnerable versions of @electron-forge/plugin-base
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/plugin-auto-unpack-natives
@electron-forge/plugin-base *
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/plugin-base
@electron-forge/plugin-fuses *
Depends on vulnerable versions of @electron-forge/plugin-base
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/plugin-fuses
@electron-forge/publisher-base *
Depends on vulnerable versions of @electron-forge/shared-types
node_modules/@electron-forge/publisher-base
@electron-forge/template-vite *
Depends on vulnerable versions of @electron-forge/shared-types
Depends on vulnerable versions of @electron-forge/template-base
node_modules/@electron-forge/template-vite
@electron-forge/template-vite-typescript *
Depends on vulnerable versions of @electron-forge/shared-types
Depends on vulnerable versions of @electron-forge/template-base
node_modules/@electron-forge/template-vite-typescript
@electron-forge/template-webpack *
Depends on vulnerable versions of @electron-forge/shared-types
Depends on vulnerable versions of @electron-forge/template-base
node_modules/@electron-forge/template-webpack
@electron-forge/template-webpack-typescript *
Depends on vulnerable versions of @electron-forge/shared-types
Depends on vulnerable versions of @electron-forge/template-base
node_modules/@electron-forge/template-webpack-typescript
cacache 14.0.0 - 18.0.4
Depends on vulnerable versions of tar
node_modules/cacache
make-fetch-happen 7.1.1 - 14.0.0
Depends on vulnerable versions of cacache
node_modules/make-fetch-happen
tmp <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
No fix available
node_modules/tmp
external-editor >=1.1.1
Depends on vulnerable versions of tmp
node_modules/external-editor
@inquirer/editor <=4.2.15
Depends on vulnerable versions of external-editor
node_modules/@inquirer/editor
@inquirer/prompts <=6.0.1
Depends on vulnerable versions of @inquirer/editor
node_modules/@inquirer/prompts
27 vulnerabilities (4 low, 23 high)
To address issues that do not require attention, run:
npm audit fix
Some issues need review, and may require choosing
a different dependency.
I did npm audit fix, and it doesn't resolve anything. And, I usually avoid doing npm audit fix --force as it ends up breaking up stuff a lot.
However, I do a yarn instead, and it outputs something like this:
╰─ yarn ─╯
➤ YN0088: A new stable version of Yarn is available: 4.12.0!
➤ YN0088: Upgrade now by running yarn set version 4.12.0
➤ YN0000: · Yarn 4.10.3
➤ YN0000: ┌ Resolution step
➤ YN0085: │ + @electron-forge/cli@npm:7.11.1, @electron-forge/maker-deb@npm:7.11.1, @electron-forge/maker-rpm@npm:7.11.1, @electron-forge/maker-squirrel@npm:7.11.1, @electron-forge/maker-zip@npm:7.11.1, and 513 more.
➤ YN0000: └ Completed in 5s 328ms
➤ YN0000: ┌ Fetch step
➤ YN0013: │ 4 packages were added to the project (+ 7.08 MiB).
➤ YN0000: └ Completed in 0s 460ms
➤ YN0000: ┌ Link step
➤ YN0031: │ One or more node_modules have been detected and will be removed. This operation may take some time.
➤ YN0000: │ ESM support for PnP uses the experimental loader API and is therefore experimental
➤ YN0007: │ electron-winstaller@npm:5.4.0 must be built because it never has been before or the last one failed
➤ YN0007: │ electron@npm:40.2.1 must be built because it never has been before or the last one failed
➤ YN0000: └ Completed in 0s 638ms
➤ YN0000: · Done with warnings in 6s 499ms
Now, I do know yarn has some automatic dependency resolving stuffs, but, I don't know if it's actually not printing any errors or has it resolved. `yarn audit` doesn't seem to be exist.
How can I make sure that **the vulnerabilities have been resolved?** Or, if there is another way to fix the `npm audit` issues, would love to know. Thanks in advance.