dependency tar@1.0.3 has known security flaw

[krugar]

as reported here: https://nodesecurity.io/advisories/57 https://snyk.io/vuln/npm:tar:20151103

Symlink Arbitrary File Overwrite (...) The tar module prior to version 2.0.0 does not properly normalize symbolic links pointing to targets outside the extraction root. As a result, packages may hold symbolic links to parent and sibling directories and overwrite those files when the package is extracted.

upgrading tar to ^2.0.0 should remedy this, public api seems to not have changed from 1.x to 2.x ? (not very semver-ish, but still)

[guybedford]

Thanks for posting! Yes exactly it sounds like the symlink ignores should avoid exposure to this, but will get to the upgrade when I can.

[paulwalker]

Also, this version of tar is using a deprecated version of graceful-fs that will fail on newer node versions

[ppitonak]

Do you have any estimate when you are going to address this issue?

[guybedford]

This has been updated.

[gavinaiken]

Hi, I think the latest version of jspm-npm still depends on tar ^1.0.3 as per https://github.com/jspm/npm/blob/master/package.json#L29 - need to bump to ^2.0.0 to fix that npm audit warning. Any chance? Thanks!