Open izumo27 opened 9 months ago
I opened a fix a few days ago. #707
As a strawpoll, I'm curious what packages you guys are using that depend on this package? It looks like it's not been maintained for a bit, and now there's a few alternatives to use, so it may be wise to try and get those dependencies updated to use a more up-to-date package.
Personally, I use node-argon, which used to depend on this, not anymore, they switched to just using node-gyp-build
+prebuildify
. See this commit: https://github.com/ranisalt/node-argon2/commit/b47602840a259946039db8526ddd182d1430f634#diff-7ae45ad102eab3b6d7e7896acd08c427a9b25b346470d7bc6507b6481575d519
This fix would be good, we use libxmljs which pulls in node-pre-gyp - so we are impacted by this vulnerability. accepting @pnappa pull request would be great.
% npm audit
# npm audit report
@babel/traverse <7.23.2
Severity: critical
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code - https://github.com/advisories/GHSA-67hx-6x53-jw92
fix available via `npm audit fix`
node_modules/@babel/traverse
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix`
node_modules/tar
2 vulnerabilities (1 moderate, 1 critical)
This package depends on
inflight
and it is vulnerable. https://security.snyk.io/vuln/SNYK-JS-INFLIGHT-6095116Any plans for a fix?