CVE-2022-0401 Path Traversal in NPM w-zip prior to 1.0.12.

CVE-2022-0401 Path Traversal in NPM w-zip prior to 1.0.12.

W-zip was created by the Node Package Manager team as a zip/unzip compatible module. With the release of NPM v1.0, the team announced plans to deprecate the w-zip module, as support for this module is being phased out.

W-zip is still available as a dependency in current versions of Node.js as of this article’s publication, but it will be removed in the future. In the meantime, you can easily work around this dependency problem by installing W-zip as a zip compatible module. Install W-zip as a zip compatible module with the following command. npm install wzip --save Alternatively, you can install W-zip from the latest release on the project’s GitHub page. Install the latest version of W-zip from GitHub. wzip --version 1.0.12

Now that W-zip is installed as a zip compatible module, you’ll need to update your package.json file to include the new dependency. Open the package.json file in your favorite text editor and add the new dependency. "dependencies": { "wzip": "^1.0.12" } Now that W-zip is installed as a zip compatible module, you’ll need to update your package.json file to include the new dependency. Open the package.json file in your favorite text editor and add the new dependency. W-zip has been installed as a zip

Alternative Way to Install W-zip

You can install W-zip as a zip compatible module with the following command. npm install wzip -D
Alternatively, you can install W-zip from the latest release on the project’s GitHub page. Install the latest version of W-zip from GitHub.

Install W-zip As a compression Module

If you want to continue using w-zip, you can also install it as a compression module. Create a new file called package.json in the same location as your previous one and add the following line to it: "dependencies": { "wzip": "^1.0.12" } Now that W-zip is installed as a zip compatible module, you’ll need to update your package.json file to include the new dependency. Open the package.json file in your favorite text editor and add the new dependency. Install w-zip from GitHub

Installing W-zip as a Zip Compatible Module

To install W-zip as a zip compatible module, make sure that you have npm installed on your machine. If you don’t, you can download and install it from the official website. Next, open the terminal on your computer and execute the following command to install W-zip as a zip compatible module. npm install wzip --save
W-Zip is a dependency for Node Packages Manager (NPM) - which tells NPM not to remove this package when it deprecates it in future versions of Node.js

Install w-ts, a zip compatible transform module

If you are still running v0.10.x of Node.js, you will need to install a zip compatible transform module in order to work around this deprecation problem with w-zip. The easiest way to install w-ts is with the following command: npm install wts --save Now that W-zip is installed as a zip compatible module, you’ll need to update your package.json file to include the new dependency. Open the package.json file in your favorite text editor and add the new dependency. "dependencies": { "wts": "^2.0" }

Installing W-zip as a Base Module

You can install W-zip as a base module by adding the following to your package.json file. "package": { "name": "my-project", "private": true, "scripts": {}, "dependencies": { "wzip": "1.0.12" }, "devDependencies": {}, }
Now that you’ve installed W-zip as a base module, you can use it in your project with the following command. wzip --version 1.0.12

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe