Skip to content
This repository has been archived by the owner on Jun 6, 2021. It is now read-only.

node-gyp < 4.0.0 has a vulnerability in the tar package dependency #87

Closed
giamir opened this issue Apr 24, 2019 · 5 comments · Fixed by #88
Closed

node-gyp < 4.0.0 has a vulnerability in the tar package dependency #87

giamir opened this issue Apr 24, 2019 · 5 comments · Fixed by #88

Comments

@giamir
Copy link

giamir commented Apr 24, 2019

You should consider upgrading to node-gyp version 4.0.0 which uses version 4.4.8 of the tar package and therefore it is patched.
nodejs/node-gyp@1456ef2
@nstepien
Copy link
Owner

Thanks for letting us know, we'll look into it asap.

@oohnoitz
Copy link
Collaborator

@MayhemYDG let's roll out https://dependabot.com/ on this repo. I don't have access but this will let us manage dependencies a bit better and automate some of the stuff for us.

@nstepien nstepien mentioned this issue Apr 24, 2019
Merged
@nstepien
Copy link
Owner

@giamir this is now fixed and published in version 2.4.3.

@oohnoitz we could look into it yeah.
GitHub has a similar feature, I wonder why it didn't notify me though:
image

@oohnoitz
Copy link
Collaborator

Well, opting for dependabot mostly cause it can create PRs for us and we'd just need to keep an eye on those instead.

@giamir
Copy link
Author

giamir commented Apr 25, 2019 via email

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update deps nstepien/iltorb
3 participants
@nstepien @oohnoitz @giamir