A vulnerable version of tar is used #1714
Comments
|
What to expect from here? Are we going to have an update? Response? Anything? |
|
Well, I hope that node-gyp could migrate to tar v4.4.2+ (or could convince the tar maintainers to backport the fix to a 3.x release if that's infeasible). |
|
It looks like #1713 is working on it |
|
Fixed by #1713 |
|
@refack Are you going to do a release with this update? Thanks! |
|
Refs: #1718 |
|
well, waiting for node-gyp@4 would mean that the non-vulnerable version would reach out the ecosystem only after each package migrate as well, which would take a huge amount of time (and they would still have to drop 0.10 and 0.12 to get the patch anyway). |
|
Why the current version 3.8.0 (npjs.org) still uses the package of tar in the version 2.0.0 instead of 4.4.2? |
|
@pwnpsasin see the comment above. Upgrading tar requires dropping support for node<4 (as tar dropped it in 3.x) and that requires a decision from the team. |
|
@stof The way to address this in a way that would not require semver-major bumps of everything is isaacs/node-tar#212 (i.e. backport the security patch/patches to |
|
@stof Why don't you create a new major version with updated tar, and when (if ever as I see the comments there) node-tar backport will be created, release a fix for the older version? Lots of people is waiting for this update and our security guys are pinging us every day. |
|
@gpkoltermann I'm not creating versions because I'm not a maintainer at all here. |
|
https://github.com/nodejs/node-gyp/releases/tag/v4.0.0 has been released, it doesn't depend on the version of node-tar causing audit warnings. |
See https://www.npmjs.com/advisories/803
The text was updated successfully, but these errors were encountered: