Move decompress-targz to dev dependencies avoid CVE-2020-12265 Security vulnerability from official packages

[yang-hai-feng]

Is your feature request related to a problem? Please describe.
Using zookeeper in our services which been scanned using decompress-tar 4.1.1(CVE-2020-12265), decompress 4.2.1 should have the fix already (details), but seems zookeeper also referenced decompress-targz@4.1.1 for pre-publish scripts, probably could move this dependency to dev dependencies to help us to eliminate the warnings.

Describe the solution you'd like

npm uninstall decompress-targz && npm install decompress-targz --save-dev

Describe alternatives you've considered
N/A

Additional context
N/A

[DavidVujic]

Thank you for reporting @yang-hai-feng!

When running npm audit there is no alerts about this, and as you write the decompress package is already updated. I can't find any issues with the decompress-targz package? It is used in the install process and cannot be moved to dev-dependencies.

[yang-hai-feng]

Hi @DavidVujic , thanks for quick reply, double checked the prepublish.js file, decompress-targz is used with decompress as plugin, if decompress had been fixed in 4.2.1, this shouldn't need any update, I will double check with our security ops to ensure if there script are proper handling this.