This package is running a really old version of npm (2.15.12 while current is 7.24.0), which has a known security vulnerability in its dependencies.
One of my projects received a dependabot security warning about tar package versions below 4.4.16. This package is currently using tar 2.2.1 through the npm package.
I tracked the minimum npm version required to plug this security hole: v7.0.0
node-gyp needs to be at least v7.0.0 to pull in this commit which upgrades the tar version to ~> 4.4.16.
This package is running a really old version of npm (
2.15.12
while current is7.24.0
), which has a known security vulnerability in its dependencies.One of my projects received a dependabot security warning about
tar
package versions below4.4.16
. This package is currently usingtar 2.2.1
through thenpm
package.I tracked the minimum npm version required to plug this security hole: v7.0.0
tar
version to~> 4.4.16
.node-gyp
dependency and has a securetar
version in this commit, which is part of thev7.0.0
release: https://github.com/npm/cli/blob/v7.0.0/package.json