GitHub's Security Warning on tar package
Opened this issue · 0 comments
JrMasterModelBuilder commented
GitHub is currently warning us about a security issue in the tar package in the dev dependency chain.
In the context it's used, it's not a security risk, nor is it installed by users of the Atom package.
Once electron-rebuild updates to the latest node-gyp, or node-gyp back-ports the fix, we can update the package anyway.
$ npm audit
=== npm audit security report ===
┌──────────────────────────────────────────────────────────────────────────────┐
│ Manual Review │
│ Some vulnerabilities require your attention to resolve │
│ │
│ Visit https://go.npm.me/audit-guide for additional guidance │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High │ Arbitrary File Overwrite │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package │ tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in │ >=4.4.2 │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ electron-rebuild [dev] │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path │ electron-rebuild > node-gyp > tar │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info │ https://npmjs.com/advisories/803 │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 1015 scanned packages
1 vulnerability requires manual review. See the full report for details.