stof
commented
5 years ago this is currently being worked on by the node-gyp team: https://github.com/nodejs/node-gyp/pull/1713
gulp-sass does not directly uses tar, so cannot fix it itself.
Closed NickThompson1993 closed 5 years ago
stof
commented
5 years ago this is currently being worked on by the node-gyp team: https://github.com/nodejs/node-gyp/pull/1713
gulp-sass does not directly uses tar, so cannot fix it itself.
RobertAKARobin
commented
5 years ago @stof Looks like node-gyp merged the fix.
stof
commented
5 years ago @RobertAKARobin they currently merged it only in the master branch, which is the dev version of the upcoming 4.0. There is no release containing the fix yet. The work on backporting it to their 3.8 branch to create a patch 3.8.1 release is in progress in https://github.com/nodejs/node-gyp/pull/1718
xzyfer
commented
5 years ago Tracking in https://github.com/sass/node-sass/issues/2625.
Locking this issue in the mean time.
xzyfer
commented
5 years ago node-tar released a fix. Run npm update node-tar to resolve the npm audit warnings.
npm is reporting that the "tar" (gulp-sass > node-sass > node-gyp > tar) dependency version is vulnerable to Arbitrary File Overwrite. https://nodesecurity.io/advisories/803
This issue only affects tar <4.4.2, would it be possible to update Gulp-Sass's dependency to a more recent version to prevent this?
Many thanks