Upgrade `tar` to mitigate security vulnerabilities

mapbox / node-pre-gyp

Node.js tool for easy binary deployment of C++ addons

BSD 3-Clause "New" or "Revised" License

1.11k stars 259 forks source link

Upgrade `tar` to mitigate security vulnerabilities #600

Closed thekumar closed 2 years ago

thekumar commented 3 years ago

Upgrade tar dependency to v.6.1.6 to mitigate the following security issues fixed in 6.1.1 and 6.1.2.

https://www.npmjs.com/advisories/1770 https://www.npmjs.com/advisories/1771

iorrah commented 3 years ago

Hello! When can we merge this PR? It addresses a vulnerability issue.

TheVaan commented 2 years ago

Hey @springmeyer, could you please review, merge this PR and release a new version to fix the sec vul?

springmeyer commented 2 years ago

Apologies for the wait here - I was on parental leave and we (mapbox) missed coverage of this library while I was away. So, I'll be getting a v1.0.6 release out with this fix included (landed in https://github.com/mapbox/node-pre-gyp/commit/3aadedf63f91062d717430ef23a9d3ada81803ee) and I'll be needing to find other potential maintainers for this library for the future (if anyone is interested please email me at dane@mapbox.com).

springmeyer commented 2 years ago

Done now in v1.0.6 per https://github.com/mapbox/node-pre-gyp/issues/597#issuecomment-948936462