Open ilkka opened 7 years ago
Could we please get this merged?
Can we please get this merged to master? Change looks simple.
👍
@nicks do you still work on this?
This vulnerability doesn't affect us because we only download blessed binaries.
To answer @erikvold 's broader question: at this point, it looks like there will be no further releases of PhantomJS (the upstream project). Thus, I basically consider this installer end-of-lifed. We would only do a release to patch major demonstrable problems.
Seems that this is superseded by https://github.com/Medium/phantomjs/pull/732
This bump allows for a future release of extract-zip, that in turn pulls in a newer future release of concat-stream to mitigate a possible memory disclosure vulnerability. extract-zip is already at 1.6.0 so this will not happen without this bump.