Skip to content
This repository has been archived by the owner on Jan 3, 2022. It is now read-only.

Vulnerability in tar dependency. #19

Closed
csalmeida opened this issue May 7, 2019 · 1 comment
Closed

Vulnerability in tar dependency. #19

csalmeida opened this issue May 7, 2019 · 1 comment
Assignees
@csalmeida
Labels
dependencies Pull requests that update a dependency file

Comments

@csalmeida
Copy link
Owner

I've noticed that an npm package as been flagged as a security vulnerability. This poses no problems for anyone using the themes as they're pure .css.

This is a difficult error to fix as documented in the node-sass repo, but it is worth flagging.

                    === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-sass [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-sass > node-sass > node-gyp > tar                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 6938 scanned packages
  1 vulnerability requires manual review. See the full report for details.
csalmeida added a commit that referenced this issue May 7, 2019
@csalmeida
Updates tar package to v4.4.8. 🕵️‍♀️
233784c 
Necessary to remove npm security vulnerabilities #19.
@csalmeida csalmeida mentioned this issue May 7, 2019
Merged
@csalmeida csalmeida self-assigned this May 7, 2019
@csalmeida
Copy link
Owner Author

Fixed with #20.

@csalmeida csalmeida added the dependencies Pull requests that update a dependency file label Feb 21, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@csalmeida csalmeida

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@csalmeida