Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Running npm audit flags a moderate severity vulnerability (GHSA-29xp-372q-xqph) due to [email protected] bundled within [email protected].
The issue stems from node-tar having a race condition that could lead to uninitialized memory exposure.
Even though [email protected] has been released with a fix, the latest npm version (11.6.2) still depends on the vulnerable version ([email protected]).
This causes CI/CD audit pipelines to fail despite using the latest npm release.
Expected Behavior
The latest npm release (11.6.2) should depend on a non-vulnerable version of tar.
Running npm audit should return zero vulnerabilities when using the most up to date npm version, ensuring that security audits and CI/CD pipelines complete successfully without false vulnerability flags.
Steps To Reproduce
- In this environment:
- Node.js version: <=23.5.0
- npm version: <=11.6.2
-
With this configuration:
Project uses npm’s default audit behavior in a CI/CD pipeline.
No custom overrides or local tar installations. -
Run:
npm audit -
Error:
# npm audit report
tar 7.5.1
Severity: moderate
node-tar has a race condition leading to uninitialized memory exposure - https://github.com/advisories/GHSA-29xp-372q-xqph
fix available via `npm audit fix`
node_modules/npm/node_modules/tar
npm 7.21.0 - 8.5.4 || >=11.6.1
Depends on vulnerable versions of tar
node_modules/npm
2 moderate severity vulnerabilities
Environment
npm: 11.6.2
Node.js: 22.14.0
OS Name: macOS 13.7.1 (Ventura)
System Model Name: MacBook Pro 2017
npm config ls: ; "user" config from /Users//.npmrc
node bin location = /usr/local/bin/node
; node version = v22.14.0
; npm local prefix = /Users/mac/Desktop/batman /code/company/main-api
; npm version = 11.6.2
; cwd = /Users/mac/Desktop/batman /code/company/main-api
; HOME = /Users/mac