[Fix] 9 vulnerabilities (1 low, 8 high) #615
Description
npm audit report
diff <8.0.3
jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch - https://github.com/advisories/GHSA-73rr-hh4g-fpgx
fix available via `npm audit fix`
node_modules/diff
tar <=7.5.2
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
fix available via `npm audit fix --force`
Will install @electron/rebuild@0.0.0, which is a breaking change
9 vulnerabilities (1 low, 8 high)
Analysis
1. diff vulnerability (low severity)
- Can fix: Yes, via
npm audit fix - Status: ✅ Safe to fix
2. tar vulnerability (high severity)
- Can fix: No, not safely
- Reason: The vulnerability is in transitive dependencies of
electron-builder(@electron/rebuild→@electron/node-gyp→tar). Runningnpm audit fix --forcesuggests installing@electron/rebuild@0.0.0, which is not a valid release and would break the build. - Risk assessment: This is a build-time dependency only, not a runtime concern for end users. The vulnerability requires an attacker to control tar archives being extracted during the build process.
- Status: ⏳ Waiting for upstream fix from
electron-builder
Decision
We will wait for the electron-builder team to update their dependency chain to use a patched version of tar. This is a common issue across the Electron ecosystem and is being tracked upstream.
The diff vulnerability can be fixed independently if desired.