mririgoyen
commented
3 years ago +1 to this. Please consider merging to resolve this high-severity vulnerability as soon as you can. Thank you!
Closed NicolasCARPi closed 3 years ago
mririgoyen
commented
3 years ago +1 to this. Please consider merging to resolve this high-severity vulnerability as soon as you can. Thank you!
heyfirst
commented
3 years ago +1 for this. Please consider to merging this PR.
mafintosh
commented
3 years ago As mentioned in the issue the package json semver already installs the fix. Will merge this as well but note this has been fixed as soon as the bl fix was released.
mririgoyen
commented
3 years ago Thanks. Yes, semver would handle this, however because everyone uses lockfiles now, most people are not going to automatically get this unless the know to invalidate their lockfiles, which kind of goes against lockfiles in the first place. 😄
I see this was merged, but an updated version of tar-stream was not published to NPM. Could you bump the patch version and publish to NPM so that your dependencies can get it. archiver uses this, but cannot resolve the issue there until an updated version is published.
Thank you!
mafintosh
commented
3 years ago If they use a lock file they still need to update it, which would fix it in first place since the semver is already covered. Made a new patch release as well
mririgoyen
commented
3 years ago Thank you for the patch, much appreciated!
See https://github.com/advisories/GHSA-pp7h-53gx-mx7r Fix: CVE-2020-8244