npm audit Arbitrary File Overwrite

angular-cli relies on node-gyp, who have an open issue for this: https://github.com/nodejs/node-gyp/issues/1714

To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.

The following worked for me:

Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.

Then run:

1. npm i
2. npm audit
3. npm audit fix
4. npm audit

you should see 0 vulnerabilities.

I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.