-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A vulnerable version of tar is used #1714
Comments
What to expect from here? Are we going to have an update? Response? Anything? |
Well, I hope that node-gyp could migrate to tar v4.4.2+ (or could convince the tar maintainers to backport the fix to a 3.x release if that's infeasible). |
It looks like #1713 is working on it |
Fixed by #1713 |
@refack Are you going to do a release with this update? Thanks! |
Refs: #1718 |
well, waiting for node-gyp@4 would mean that the non-vulnerable version would reach out the ecosystem only after each package migrate as well, which would take a huge amount of time (and they would still have to drop 0.10 and 0.12 to get the patch anyway). |
Why the current version 3.8.0 (npjs.org) still uses the package of tar in the version 2.0.0 instead of 4.4.2? |
@pwnpsasin see the comment above. Upgrading tar requires dropping support for node<4 (as tar dropped it in 3.x) and that requires a decision from the team. |
@stof The way to address this in a way that would not require semver-major bumps of everything is isaacs/node-tar#212 (i.e. backport the security patch/patches to |
@stof Why don't you create a new major version with updated tar, and when (if ever as I see the comments there) node-tar backport will be created, release a fix for the older version? Lots of people is waiting for this update and our security guys are pinging us every day. |
@gpkoltermann I'm not creating versions because I'm not a maintainer at all here. |
https://github.com/nodejs/node-gyp/releases/tag/v4.0.0 has been released, it doesn't depend on the version of node-tar causing audit warnings. |
See https://www.npmjs.com/advisories/803
The text was updated successfully, but these errors were encountered: