search

sintaxi / surge

CLI for the surge.sh CDN
https://surge.sh
2.86k stars 136 forks source link

⚠️ WARNING ⚠️ tar.gz module has been deprecated and your application is vulnerable #293

Open pizzarob opened 6 years ago

pizzarob commented 6 years ago

ALERT: npm WARN deprecated tar.gz@0.1.1: ⚠️ WARNING ⚠️ tar.gz module has been deprecated and your application is vulnerable. Please use tar module instead: https://npmjcom/tar

kiwiupover commented 6 years ago

@sintaxi @djanowski I have this issue reported on the ember-cli-surge project also. https://github.com/kiwiupover/ember-cli-surge/issues/104

I believe the issue is related to security too.

elwayman02 commented 6 years ago

Any movement on this? Any project that uses surge, even just for its demo app, is going to cause concern among developers when they see a giant security warning on github due to this dependency.

sa-mm commented 6 years ago

I have these fixed here, but npm test:local is failing, so I'm hesitant to make a pull request.

elwayman02 commented 6 years ago

Might as well make a PR and see if it passes in CI. Could be a local issue.

sintaxi commented 6 years ago

Thanks for talking a look at this. Ill have a peak at your branch. I have a fairly big release in the works. Ill make sure a fix for this issue gets included.

balupton commented 6 years ago

Thanks for talking a look at this. Ill have a peak at your branch. I have a fairly big release in the works. Ill make sure a fix for this issue gets included.

@sintaxi Is it possible to clone the repo, merge the PR, and do a patch release? Then at a later point, do your big release?

As right now, any project that has surge as a dep or dev dep, is getting security notifications from github delivered to the maintainers of the repos.

So getting this fixed immediately would save a lot of time for all the devs that depend on your package.

elwayman02 commented 6 years ago

Any update on this?

balupton commented 6 years ago

Just to emphasise the annoyance of this. I have dozens of repos that have surge as a dev dep. And for each update posted for them, myself and the other maintainers get these alerts:

screen shot 2018-02-15 at 5 44 48 pm screen shot 2018-02-15 at 5 44 55 pm screen shot 2018-02-15 at 5 47 26 pm screen shot 2018-02-15 at 5 45 27 pm

If you are new to this error, it takes about 5-15 minutes to debug that the cause is surge.

Multiply this by each surge user.

sintaxi commented 6 years ago

Working hard on getting this release ready and I agree this is very annoying. Please air your grievances with github because this warning is a false positive and unnecessary in the context of how surge uses the tar lib. Github is overreaching and its extremely frustrating as a library author.

balupton commented 6 years ago

@sintaxi I understand, much love to all open-source maintainers ❤️