Request: upgrade dependency Snappy

SOHU-Co / kafka-node

Node.js client for Apache Kafka 0.8 and later.

MIT License

2.66k stars 628 forks source link

Request: upgrade dependency Snappy #1457

Open DesmondHsu opened 3 years ago

DesmondHsu commented 3 years ago

Snappy 6.0.1 contains tar 6.1.0 which has several potential vulnerabilities - Arbitrary File Write, Regular Expression Denial of Service (ReDoS)

Doesn't seem to have issue upgrading to Snappy 7, which doesn't contain tar. Please consider.

imsamurai commented 2 years ago

any update?

# npm audit report

simple-get  <4.0.1
Severity: high
Exposure of Sensitive Information in simple-get - https://github.com/advisories/GHSA-wpg7-2c88-r8xv
node_modules/simple-get
  prebuild-install  <=6.1.4
  Depends on vulnerable versions of simple-get
  node_modules/prebuild-install
    snappy  6.1.0 - 6.3.5
    Depends on vulnerable versions of prebuild-install
    node_modules/snappy

rkendall-skillsoft commented 2 years ago

Will this be addressed anytime soon?