-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
updated tar package version to 4.4.8 #1713
Conversation
should package-lock.json actually be committed ? It is not until now. |
AFAICT, the only BC break in v4 is isaacs/node-tar@a22932a |
Updated node-gyp to 3.8.1 (nodejs/node-gyp#1713) which got updated because of a security Issue in tar (https://www.npmjs.com/advisories/803)
shouldn't this be patched in the 3.x to be able to have it in a 3.8.1 release ? |
pls merge |
/me follows thread so he'll know when 3.8.1 is tagged, to unblock builds 'n' stuff |
When might this be released? |
PR-URL: #1713 Reviewed-By: Refael Ackermann <refack@gmail.com>
Running CI for |
CI for /home/iojs/build/workspace/nodegyp-test-commit/nodes/ubuntu1604-64/lib/install.js:152
, extracter = tar.Extract({ path: devDir, strip: 1, filter: isValid })
^
TypeError: tar.Extract is not a function
at /home/iojs/build/workspace/nodegyp-test-commit/nodes/ubuntu1604-64/lib/install.js:152:27
at /home/iojs/build/workspace/nodegyp-test-commit/nodes/ubuntu1604-64/node_modules/mkdirp/index.js:30:20
at FSReqWrap.oncomplete (fs.js:135:15) |
Gotta love it when you apply a security patch to your dependency (in this case, - "tar": "^3.1.3",
+ "tar": "^4.4.8",
|
Line 35 in e6699d1
When we bumped |
@richardlau confirmed that porting the changes from #1212 into the |
Once `node-gyp` issues a release, we can back this out and update. The version number for that will likely be `3.8.1` More info at: nodejs/node-gyp#1713
Once `node-gyp` issues a release, we can back this out and update. The version number for that will likely be `3.8.1` More info at: nodejs/node-gyp#1713
PR-URL: nodejs#1713 Reviewed-By: Refael Ackermann <refack@gmail.com>
PR-URL: nodejs#1713 Reviewed-By: Refael Ackermann <refack@gmail.com>
Any idea when this will be released? All of our CI builds are complaining about the vulnerability. |
PR-URL: nodejs#1713 Reviewed-By: Refael Ackermann <refack@gmail.com> (cherry picked from commit 1456ef2)
PR-URL: #1713 Reviewed-By: Refael Ackermann <refack@gmail.com>
Seems that a lot of people are having this issue (myself included)... I suppose you could say they are stuck on the tar? |
@smity81435 Yes that is where I am stuck. |
Is there anything that we could in order to (at least) temporarily fix this ? |
Change your package-lock and use `npm ci` to install your deps
…On Fri, 26 Apr 2019, 13:21 iwaduarte, ***@***.***> wrote:
Is there anything that we could in order to temporarily fix this ?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1713 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AA4MKIWDTZLONOIWN6LQGVDPSLQSTANCNFSM4HEGUDDQ>
.
|
Change it how? |
Is it safe/recommended to modify npm manged file 'package-lock.json'? I've always thought it's not and such manual edits are discouraged.
|
I am still getting this issue:
any idea how to resolve this? HF |
Checklist
npm install && npm test
passesDescription of change
I updated tar package version in which there were vulnerabilities:
About vulnerability: https://app.snyk.io/vuln/SNYK-JS-TAR-174125
Reviewers
@TooTallNate