Closed NicolasCARPi closed 3 years ago
+1 to this. Please consider merging to resolve this high-severity vulnerability as soon as you can. Thank you!
+1 for this. Please consider to merging this PR.
As mentioned in the issue the package json semver already installs the fix. Will merge this as well but note this has been fixed as soon as the bl fix was released.
Thanks. Yes, semver would handle this, however because everyone uses lockfiles now, most people are not going to automatically get this unless the know to invalidate their lockfiles, which kind of goes against lockfiles in the first place. 😄
I see this was merged, but an updated version of tar-stream
was not published to NPM. Could you bump the patch version and publish to NPM so that your dependencies can get it. archiver
uses this, but cannot resolve the issue there until an updated version is published.
Thank you!
If they use a lock file they still need to update it, which would fix it in first place since the semver is already covered. Made a new patch release as well
Thank you for the patch, much appreciated!
See https://github.com/advisories/GHSA-pp7h-53gx-mx7r Fix: CVE-2020-8244