Skip to content
This repository has been archived by the owner on Aug 11, 2021. It is now read-only.

Tar package vulnerability on install #28

Closed
laurenfrederick opened this issue Apr 12, 2019 · 4 comments
Closed

Tar package vulnerability on install #28

laurenfrederick opened this issue Apr 12, 2019 · 4 comments

Comments

@laurenfrederick
Copy link

npm-lifeycycle is using a version of node-gyp which is pointing to a version of tar that has a vulnerability. See https://www.npmjs.com/advisories/803.
@starpit starpit mentioned this issue Apr 12, 2019
Closed
@evocateur
Copy link

The underlying issue has been patched in the source of node-gyp. This issue isn't valid for npm-lifecycle (or lerna, for that matter).

@escapedcat escapedcat mentioned this issue Apr 19, 2019
Closed
@ChALkeR ChALkeR mentioned this issue Apr 24, 2019
Closed
@ChALkeR
Copy link

ChALkeR commented Apr 24, 2019

This can be resolved with either updating to a node-gyp@4 here or doing a patch release of npm/node-tar@2, ref: isaacs/node-tar#212.

@jhnferraris
Copy link

Created a PR to update node-gyp@4 here. #31

@kaiyoma
Copy link

kaiyoma commented Apr 24, 2019

When can we expect a release? lerna depends on this package, so all users of lerna are currently exposed to the tar vulnerability.

@rfultz rfultz mentioned this issue Apr 25, 2019
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@evocateur @ChALkeR @jhnferraris @kaiyoma @laurenfrederick