search

mapbox / node-pre-gyp

Node.js tool for easy binary deployment of C++ addons
BSD 3-Clause "New" or "Revised" License
1.11k stars 260 forks source link

Upgrade `tar` to address security vulnerability #713

Closed iAmmar7 closed 1 month ago

iAmmar7 commented 3 months ago

Upgrade the tar dependency to the latest v7.0.1 to address the following security issue:

https://github.com/advisories/GHSA-f5x3-32g6-xq36

cclauss commented 3 months ago

Please insert the line - npm run update-crosswalk after line 26 of the file appveyor.yml so we can see if your tests pass.

bensquire commented 2 months ago

I'm out of my depth here, but just to say we're seeing pressure to also update our packages because of the above tar dependancy.

cclauss commented 2 months ago

@bensquire I would recommend dropping node-pre-gyp because it is unmaintained.

bensquire commented 2 months ago

Thanks @cclauss. Will look at what I need to tear out in turn :)

cclauss commented 1 month ago

Git conflicts -- Please rebase.