The current version of tar being depended on (4.4.18) is vulnerable to GHSA-f5x3-32g6-xq36 - while it's unlikely to be exploitable in this context, it still would be good to resolve since it creates noise in security scanners.
tar 5 and 6 dropped support for Node 4, 6, and 8 but this package already only supports Node 10+ so that shouldn't be a problem.
G-Rath
commented
4 months ago
The current version of
tarbeing depended on (4.4.18) is vulnerable to GHSA-f5x3-32g6-xq36 - while it's unlikely to be exploitable in this context, it still would be good to resolve since it creates noise in security scanners.tar5 and 6 dropped support for Node 4, 6, and 8 but this package already only supports Node 10+ so that shouldn't be a problem.https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md