Summary
npm audit reports 7 high-severity advisories on every published engramgraph version from 0.3.0 through the latest 0.7.0 (i.e. every version that pulls in ryugraph), all rooted in the same transitive dependency: node-tar@6.2.1.
Dependency chain
engramgraph@0.7.0
└─ ryugraph@25.9.1
└─ cmake-js@7.4.0
└─ tar@6.2.1
cmake-js uses tar to extract a downloaded CMake toolchain archive during npm install of ryugraph's native bindings.
Advisories (all in tar@6.2.1)
Why npm audit fix doesn't help
npm audit's suggested fix is downgrading to engramgraph@0.2.0 — but that version predates the ryugraph/cmake-js dependency entirely, so it's not a real fix, just an artifact of that version not having the vulnerable path yet.
Suggested remediation
- Bump
cmake-js to a version that depends on a patched tar (tar@^6.2.1 with the fixes, or tar@7.x), if compatible with ryugraph's native build step
- Or add a
package.json overrides entry pinning tar to a patched version as a stopgap
- Or vendor/replace the CMake-download step so
tar isn't needed as a runtime/install-time dependency at all
Impact / severity in practice
Low-likelihood but non-zero: this tar usage only triggers when extracting the CMake toolchain archive downloaded during install, so real-world exploitation would require compromising that download source (supply-chain / MITM), not arbitrary user input. Flagging as high severity per npm's advisory database regardless, since engramgraph is meant to be installed as a devDependency across many consumer projects.
Environment
engramgraph@0.7.0 (also reproducible on 0.3.0–0.6.0)
npm audit output attached below for reference:
cmake-js high fixAvailable: engramgraph@0.2.0 (major, not a real fix)
engramgraph high fixAvailable: engramgraph@0.2.0 (major, not a real fix)
ryugraph high fixAvailable: engramgraph@0.2.0 (major, not a real fix)
tar high fixAvailable: engramgraph@0.2.0 (major, not a real fix)
Summary
npm auditreports 7 high-severity advisories on every publishedengramgraphversion from 0.3.0 through the latest 0.7.0 (i.e. every version that pulls inryugraph), all rooted in the same transitive dependency:node-tar@6.2.1.Dependency chain
cmake-jsusestarto extract a downloaded CMake toolchain archive duringnpm installofryugraph's native bindings.Advisories (all in
tar@6.2.1)Why
npm audit fixdoesn't helpnpm audit's suggested fix is downgrading toengramgraph@0.2.0— but that version predates theryugraph/cmake-jsdependency entirely, so it's not a real fix, just an artifact of that version not having the vulnerable path yet.Suggested remediation
cmake-jsto a version that depends on a patchedtar(tar@^6.2.1with the fixes, ortar@7.x), if compatible withryugraph's native build steppackage.jsonoverridesentry pinningtarto a patched version as a stopgaptarisn't needed as a runtime/install-time dependency at allImpact / severity in practice
Low-likelihood but non-zero: this
tarusage only triggers when extracting the CMake toolchain archive downloaded during install, so real-world exploitation would require compromising that download source (supply-chain / MITM), not arbitrary user input. Flagging as high severity per npm's advisory database regardless, sinceengramgraphis meant to be installed as a devDependency across many consumer projects.Environment
engramgraph@0.7.0(also reproducible on0.3.0–0.6.0)npm auditoutput attached below for reference: