npm audit Arbitrary File Overwrite

angular-cli relies on node-gyp, who have an open issue for this:

To work around, you can patch node-gyp and then patch angular to use your patched node-gyp. Or wait and hope that they will fix it soon.

The following worked for me:

Go to node_modules > node_gyp > package.json, then locate tar under dependencies and replace 2.0.0 with 4.4.8.

Then run:

  1. npm i
  2. npm audit
  3. npm audit fix
  4. npm audit

you should see 0 vulnerabilities.

I've updated a few angular projects and each project had the same issue. Doing the above worked all the time.