Bump tar version (solve 2 high severity vulnerabilities)

[bbailleux]

The tar module used in node-pre-gyp, currently version 6.1.0, has two recently published high severity vulnerabilities.

See:

• Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
• Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning

Those vulnerabilities has been fixed in tar version 6.1.2 (current version is 6.1.6)

Would you please consider upgrading (those CVEs break our CI/CD)?

[QuteBits]

Agreed, some of our production servers started spewing those 2 in the logs recently. Also went through the last 20 releases of node-pre-gyp and didn't find any that would not have those 2 errors, so currently there is no release to fall back on.

[rvravi]

Could we get the tar package version bumped asap? It will help us get rid of 2 high severity vulnerabilities.

[jeksmith]

Please do this ASAP. Need tar version 6.1.9 now. Latest vulnerabilities:

• Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
• Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization

[jeksmith]

Actually there need not be a version bump afterall. node-pre-gyp defines the tar dependency as "tar": "^6.1.0", which allows for an update to 6.1.9.

[springmeyer]

Agree with @jeksmith that upgrading node-pre-gyp was/is not necessary to solve the tar issue. But for folks that want to upgrade, a version is now available (@mapbox/node-pre-gyp@1.0.6) that enforces a more recent version of tar to ensure the vulnerability is mitigated without a doubt.