Open qooban opened 2 years ago
@sindresorhus any chance you could give some security love to this package? <3
@sindresorhus @kevva : When can we expect the file-type vulnerability fix?
https://github.com/advisories/GHSA-mhxj-85r3-2x55.
https://nvd.nist.gov/vuln/detail/CVE-2022-36313
sonarqube-scanner@2.8.2 └─┬ decompress@4.2.1 └─┬ decompress-unzip@4.0.1 └── file-type@3.9.0
@qooban @alfaproject : How do you resolve this issue?
@UdayKumarNettem I don't have a solution for that. I provided my findings in the issue description.
The following report is provided by NPM audit when using the latest version of
decompress
package (v4.2.1):More description about the problem is provided here: https://github.com/advisories/GHSA-mhxj-85r3-2x55
The fix was implemented in
file-type
v16.5.4, so probablyfile-type
should just be bumped in sub-packages:decompress-tar
,decompress-tarbz2
,decompress-targz
,decompress-unzip
.