Closed bbailleux closed 2 years ago
Agreed, some of our production servers started spewing those 2 in the logs recently. Also went through the last 20 releases of node-pre-gyp
and didn't find any that would not have those 2 errors, so currently there is no release to fall back on.
Could we get the tar package version bumped asap? It will help us get rid of 2 high severity vulnerabilities.
Please do this ASAP. Need tar version 6.1.9 now. Latest vulnerabilities:
Actually there need not be a version bump afterall. node-pre-gyp defines the tar dependency as "tar": "^6.1.0", which allows for an update to 6.1.9.
Agree with @jeksmith that upgrading node-pre-gyp was/is not necessary to solve the tar issue. But for folks that want to upgrade, a version is now available (@mapbox/node-pre-gyp@1.0.6) that enforces a more recent version of tar to ensure the vulnerability is mitigated without a doubt.
The
tar
module used innode-pre-gyp
, currently version 6.1.0, has two recently published high severity vulnerabilities.See:
Those vulnerabilities has been fixed in
tar
version 6.1.2 (current version is 6.1.6)Would you please consider upgrading (those CVEs break our CI/CD)?