Skip to content

npm audit: 7 high-severity node-tar advisories via ryugraph -> cmake-js dependency chain #1

Description

@AsiaOstrich

Summary

npm audit reports 7 high-severity advisories on every published engramgraph version from 0.3.0 through the latest 0.7.0 (i.e. every version that pulls in ryugraph), all rooted in the same transitive dependency: node-tar@6.2.1.

Dependency chain

engramgraph@0.7.0
└─ ryugraph@25.9.1
   └─ cmake-js@7.4.0
      └─ tar@6.2.1

cmake-js uses tar to extract a downloaded CMake toolchain archive during npm install of ryugraph's native bindings.

Advisories (all in tar@6.2.1)

Why npm audit fix doesn't help

npm audit's suggested fix is downgrading to engramgraph@0.2.0 — but that version predates the ryugraph/cmake-js dependency entirely, so it's not a real fix, just an artifact of that version not having the vulnerable path yet.

Suggested remediation

  • Bump cmake-js to a version that depends on a patched tar (tar@^6.2.1 with the fixes, or tar@7.x), if compatible with ryugraph's native build step
  • Or add a package.json overrides entry pinning tar to a patched version as a stopgap
  • Or vendor/replace the CMake-download step so tar isn't needed as a runtime/install-time dependency at all

Impact / severity in practice

Low-likelihood but non-zero: this tar usage only triggers when extracting the CMake toolchain archive downloaded during install, so real-world exploitation would require compromising that download source (supply-chain / MITM), not arbitrary user input. Flagging as high severity per npm's advisory database regardless, since engramgraph is meant to be installed as a devDependency across many consumer projects.

Environment

  • engramgraph@0.7.0 (also reproducible on 0.3.00.6.0)
  • npm audit output attached below for reference:
cmake-js  high  fixAvailable: engramgraph@0.2.0 (major, not a real fix)
engramgraph  high  fixAvailable: engramgraph@0.2.0 (major, not a real fix)
ryugraph  high  fixAvailable: engramgraph@0.2.0 (major, not a real fix)
tar  high  fixAvailable: engramgraph@0.2.0 (major, not a real fix)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions