Skip to content
This repository has been archived by the owner on Aug 3, 2023. It is now read-only.

Upgrade tar dependency to a non vulnerable version #2032

Closed
dhaynespls opened this issue Aug 19, 2021 · 0 comments · Fixed by #2033
Closed

Upgrade tar dependency to a non vulnerable version #2032

dhaynespls opened this issue Aug 19, 2021 · 0 comments · Fixed by #2033
Assignees
@dhaynespls
Labels
dependencies Pull requests that update a dependency file

Comments

@dhaynespls
Copy link
Contributor 

# npm audit report

tar  <=3.2.2 || 4.0.0 - 4.4.14 || 5.0.0 - 5.0.6 || 6.0.0 - 6.1.1
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://npmjs.com/advisories/1770
Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning - https://npmjs.com/advisories/1771
fix available via `npm audit fix`
node_modules/@cloudflare/wrangler/node_modules/tar

We actually use this package here: https://github.com/cloudflare/wrangler/blob/8b11ea4664540230cb6970e62306e57ef56a0b28/npm/binary-install.js#L95

I'll be filing a PR to patch/version upgrade.
@dhaynespls dhaynespls added the dependencies Pull requests that update a dependency file label Aug 19, 2021
@dhaynespls dhaynespls self-assigned this Aug 19, 2021
@dhaynespls dhaynespls mentioned this issue Aug 19, 2021
Merged
@jyn514 jyn514 mentioned this issue Aug 19, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dhaynespls dhaynespls

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

2032: Upgrade tar dependency
1 participant
@dhaynespls