This repository has been archived by the owner on Feb 18, 2024. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 34
dependency tar@1.0.3 has known security flaw #114
Comments
Thanks for posting! Yes exactly it sounds like the symlink ignores should avoid exposure to this, but will get to the upgrade when I can. |
Also, this version of tar is using a deprecated version of graceful-fs that will fail on newer node versions |
Do you have any estimate when you are going to address this issue? |
This has been updated. |
Hi, I think the latest version of jspm-npm still depends on tar ^1.0.3 as per https://github.com/jspm/npm/blob/master/package.json#L29 - need to bump to ^2.0.0 to fix that |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
as reported here:
https://nodesecurity.io/advisories/57
https://snyk.io/vuln/npm:tar:20151103
upgrading tar to ^2.0.0 should remedy this, public api seems to not have changed from 1.x to 2.x ? (not very semver-ish, but still)
The text was updated successfully, but these errors were encountered: