AElfProject / aelf-web3.js

aelf JavaScript SDK
MIT License
16 stars 24 forks source link

[Security] Bump tar from 4.4.1 to 4.4.8 #33

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps tar from 4.4.1 to 4.4.8. This update includes security fixes.

Vulnerabilities fixed *Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects tar** > A vulnerability was found in node-tar before version 4.4.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. > > Affected versions: < 4.4.2
Commits - [`074c89b`](https://github.com/npm/node-tar/commit/074c89b1e639485468706af3c141a68ef8826728) 4.4.8 - [`c7bc240`](https://github.com/npm/node-tar/commit/c7bc2406eb23f624968271f9df3c917cae22e5c3) Fix hardlink extraction with strip. - [`0068764`](https://github.com/npm/node-tar/commit/0068764b53ed487300fd081922027767f4842e5e) Fix example typo - [`88d6071`](https://github.com/npm/node-tar/commit/88d6071c248042e29258f6f72c1b71721904cf22) 4.4.7 - [`41fce66`](https://github.com/npm/node-tar/commit/41fce66068cd532019be9ce8e1e3186361198466) Fix [#190](https://github-redirect.dependabot.com/npm/node-tar/issues/190): polyfill Buffer in lib/parse.js for node v4 <4.5 - [`ec2581a`](https://github.com/npm/node-tar/commit/ec2581af264c99c280ecfa7401c243b321cec2c1) clarify EOF error messages - [`6c95323`](https://github.com/npm/node-tar/commit/6c953230a12343490af7030e828cf9302f63b4d9) write-entry: handle shrinked file size than expected by lstat - [`34bdf6b`](https://github.com/npm/node-tar/commit/34bdf6b6b89091a3b0b4a8409b9c944dcce36f3b) travis: no windows. A known failing test is worse than no test. - [`dcab9b8`](https://github.com/npm/node-tar/commit/dcab9b8cc3cf4e82e96063d33dec8278670ab332) travis: add windows - [`4eb4e9b`](https://github.com/npm/node-tar/commit/4eb4e9b6c73977e2080c10a596cfd66b0d140265) travis: Add node 10, remove 4 - Additional commits viewable in [compare view](https://github.com/npm/node-tar/compare/v4.4.1...v4.4.8)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
vizipi[bot] commented 5 years ago

Pull request analysis by VIZIPI

Below you will find who is the most qualified team member to review your code. This analysis includes his/her work on the code included in this Pull request, in addition to their experience in code affected by these changes ( partly found within the list of potential missing files below )   _Feedback always welcome_

Reviewers with knowledge related to these changes

Match % Person Commit Count Common Files
100.00 % Dependabot 1 1
100.00 % 轩辕焮痕 1 1

Potential missing files from this Pull request

files commonly committed with a subset of this pr, but not committed this time.

No files found with a 40% threashold


Committed file ranks

File Rank
package-lock.json 0.00%
dependabot-preview[bot] commented 5 years ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.