Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Security vuln with archiver@1.3.0 #226

Open
imbrianj opened this issue Sep 3, 2020 · 0 comments
Open

Security vuln with archiver@1.3.0 #226

imbrianj opened this issue Sep 3, 2020 · 0 comments

Comments

@imbrianj
Copy link

imbrianj commented Sep 3, 2020

There's currently a chain of dependencies that are creating a security vulnerability. If possible, grunt-contrib-compress should pin to a newer version of archiver (currently @5.0.0).

grunt-contrib-compress pins to archiver at ^1.3.0: https://github.com/gruntjs/grunt-contrib-compress/blob/master/package.json#L19 This version uses tar-stream@^1.5.0: https://github.com/archiverjs/node-archiver/blob/v1.3/package.json#L38 tar-stream@1.5.0 uses bl@^1.0.0: https://github.com/mafintosh/tar-stream/blob/17a6500850bab799f0ed6fc03237098b4acbe7de/package.json#L10 There is a current vulnerability in older versions, requiring an upgrade to packages that depend on this. Details here: https://nvd.nist.gov/vuln/detail/CVE-2020-8244
bendman added a commit to bendman/grunt-contrib-compress that referenced this issue Sep 14, 2020
@bendman
fix security issue with old bl subdependency
f0a31a0 
by bumping archiver dependency to latest

gruntjs#226
@bendman bendman mentioned this issue Sep 14, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@imbrianj