search

manusa / isotope-mail

Isotope Mail Client
https://blog.marcnuri.com/isotope-mail-client-introduction/
Apache License 2.0
233 stars 43 forks source link

Security alert: tar v2.2.1 (node-sass) #271

Closed manusa closed 5 years ago

manusa commented 5 years ago

Node-sass v4.9.3 depends on tar v2.2.0 which has a security vulnerability

+-- node-sass@4.9.3
  `-- node-gyp@3.8.0
    `-- tar@2.2.1

CVE-2018-20834 More information high severity Vulnerable versions: < 4.4.2 Patched version: 4.4.2 A vulnerability was found in node-tar before version 4.4.2. An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content.

Blocked by [sass/node-sass#2625]

manusa commented 5 years ago

Although security issue is gone after https://github.com/sass/node-sass/issues/2625#issuecomment-492464554 Node-sass version will be updated to latest