This package is running a really old version of npm (2.15.12 while current is 7.24.0), which has a known security vulnerability in its dependencies.
One of my projects received a dependabot security warning about tar package versions below 4.4.16. This package is currently using tar 2.2.1 through the npm package.
I tracked the minimum npm version required to plug this security hole: v7.0.0
node-gyp needs to be at least v7.0.0 to pull in this commit which upgrades the tar version to ~> 4.4.16.
This package is running a really old version of npm (
2.15.12while current is7.24.0), which has a known security vulnerability in its dependencies.One of my projects received a dependabot security warning about
tarpackage versions below4.4.16. This package is currently usingtar 2.2.1through thenpmpackage.I tracked the minimum npm version required to plug this security hole: v7.0.0
tarversion to~> 4.4.16.node-gypdependency and has a securetarversion in this commit, which is part of thev7.0.0release: https://github.com/npm/cli/blob/v7.0.0/package.json