Open hsandovalskytap opened 5 years ago
I'm not sure who is maintaining this anymore. That said:
Hello! Is there an ETA to remediate the advisory on this package? npm/yarn audit is showing a vulnerability for this package's dependency.
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strong-supervisor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ strong-supervisor > appmetrics > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strong-supervisor │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ strong-supervisor > appmetrics-dash > appmetrics > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://www.npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
Thanks!
yes, can we upped to appmetrics dependencies to latest version which is 5.x? Got into some issues with installing the appmetrics@3.x on windows.
Hello,
recently we noticed there is a security vulnerability in
node-tar
which is being used by one of your dependencies,appmetrics
└─┬ strong-supervisor@6.2.0 └─┬ appmetrics@3.1.3 └── tar@2.2.1
appmetrics
has already addressed the problem but you would need to upgrade to the latest version,appmetrics@4.0.1
.Could you help us out upgrading
appmetrics
to the latest version?