Bug 243388 - www/npm: Update to 6.13.4 - < 6.13.4 vulnerable to multiple vulnerabilities incl. arbitrary file write
Summary: www/npm: Update to 6.13.4 - < 6.13.4 vulnerable to multiple vulnerabilities i...
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Sunpoet Po-Chuan Hsieh
Keywords: needs-patch, security
Depends on:
Reported: 2020-01-16 11:35 UTC by volker77
Modified: 2020-10-02 09:05 UTC (History)
8 users (show)

See Also:
bugzilla: maintainer-feedback? (sunpoet)
pizzamig: maintainer-feedback+
koobs: merge-quarterly?

svn diff from /usr/ports/www/npm (93.44 KB, patch)
2020-09-21 19:03 UTC, Chad Jacob Milios
no flags Details | Diff
distfile to be placed into /usr/ports/distfiles (34 bytes, text/plain)
2020-09-21 19:14 UTC, Chad Jacob Milios
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description volker77 2020-01-16 11:35:20 UTC
Please see advisories for details:


These also seem to affect yarn, so this may have repercussions for all / most NodeJS related ports.
Comment 1 Kubilay Kocak freebsd_committer freebsd_triage 2020-01-16 11:48:34 UTC
Thank you for the report

^Triage: CC www/yarn maintainer and request feedback
Comment 2 Luca Pizzamiglio freebsd_committer 2020-01-20 08:46:34 UTC
there no CVE filled for yarn. It's a npm issue only.
Comment 3 volker77 2020-01-20 10:16:58 UTC
(In reply to Luca Pizzamiglio from comment #2)

This looks very much like at least a related issue, given timing and nature of the fix:

Comment 4 Matthias Fechner freebsd_committer 2020-06-10 12:13:57 UTC
I added a vulnerability record here:
Comment 5 Jochen Neumeister freebsd_committer 2020-07-23 19:44:01 UTC
any news here?
Comment 6 Jochen Neumeister freebsd_committer 2020-08-08 18:38:43 UTC
Gentle Ping from Ports-Secteam
Comment 7 Palle Girgensohn freebsd_committer 2020-08-26 11:27:03 UTC
It seems it is also unsupported with the current version of node in ports:

npm WARN npm npm does not support Node.js v14.8.0
npm WARN npm You should probably upgrade to a newer version of node as we
npm WARN npm can't make any promises that npm will work with this version.
npm WARN npm Supported releases of Node.js are the latest release of 6, 8, 9, 10, 11, 12, 13.
npm WARN npm You can find the latest version at https://nodejs.org/

Maybe releases of node should be synced with releases of npm? I'm adding bhughes@, maintainer of www/node. Maybe he has some input?

Comment 8 Chad Jacob Milios 2020-09-21 19:03:48 UTC
Created attachment 218155 [details]
svn diff from /usr/ports/www/npm

i did not update the MASTER_SITES make variable. so, the committer should set that properly to point to the new distfile
Comment 9 Chad Jacob Milios 2020-09-21 19:14:49 UTC
Created attachment 218156 [details]
distfile to be placed into /usr/ports/distfiles

i rolled this tarball as best as i could figure how by mimicking sunpoet's prior work
Comment 10 Chad Jacob Milios 2020-09-21 19:40:36 UTC
to be clear, i wasnt aware of the 1 MB upload limit, and i'm not trying to host that distfile indefinitely at the link referenced as attachment 218156 [details]; it may go away before too long. i think i can handle it for a few weeks but please don't reference it there from the Makefile and commit that
Comment 11 Sunpoet Po-Chuan Hsieh freebsd_committer 2020-09-21 20:12:23 UTC
My original script to generate the tarball was gone due to zpool breakage. There was lots of failure while trying to build the tarball. Eventually it works last weekend.

Here's the 6.14.8 patch [1].
I plan to commit it this weekend.

[1] https://people.FreeBSD.org/~sunpoet/patch/www-npm.txt
Comment 12 Sunpoet Po-Chuan Hsieh freebsd_committer 2020-10-02 09:05:03 UTC
npm 6.14.8 landed the ports tree in r550309.