Update fstream to a secure version

EvanOxfeld / node-unzip

node.js cross-platform unzip using streams

MIT License

613 stars 343 forks source link

Update fstream to a secure version #125

Open TomasBarry opened 5 years ago

TomasBarry commented 5 years ago

fstream has a vulnerability in versions lower than 1.0.12.

Remediation: Upgrade fstream to version 1.0.12 or later. For example:

fstream@^1.0.12:

  version "1.0.12"

WS-2019-0100 Vulnerable versions: < 1.0.12 Patched version: 1.0.12 Versions of fstream prior to 1.0.12 are vulnerable to Arbitrary File Overwrite.

divanishyn commented 4 years ago

Is this project alive?

TomasBarry commented 4 years ago

@divanishyn, it doesn't appear to be maintained. Could be time to fork and have a maintained alternative.

ZJONSSON commented 4 years ago

A drop in replacement that is actively maintained can be found here: https://www.npmjs.com/package/unzipper

tanmayghosh2507 commented 4 years ago

A drop in replacement that is actively maintained can be found here: https://www.npmjs.com/package/unzipper

I used this package in my project and there are no more security vulnerabilities.

divanishyn commented 4 years ago

@ZJONSSON @tanmayghosh2507 @TomasBarry thanks, unzipper works just fine!