2 high severity vulnerabilities

[RamiroPastor]

# npm audit report

tar  <=4.4.17
Severity: high
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-qq89-hq3f-393p
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links - https://github.com/advisories/GHSA-9r2w-394v-53qc
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://github.com/advisories/GHSA-r628-mhmh-qjhw
fix available via `npm audit fix --force`
Will install react-js-pagination@3.0.2, which is a breaking change
node_modules/react-js-pagination/node_modules/tar
  react-js-pagination  >=3.0.3
  Depends on vulnerable versions of tar
  node_modules/react-js-pagination

2 high severity vulnerabilities

Is this bad?

[michaelshmitty]

Does anyone know why tar is even a dependency of this package? I looked through the source code of react-js-pagination and didn't immediately see any code related to tar. Why would an archiving tool be a dependency of a react pagination plugin anyway?

[karlkovaciny]

They fixed this issue in https://github.com/wwwaiser/react-js-pagination/commit/56301a6b25ef60072801d9e6593c74f4bfdd6cb4, but never made a release out of it.