Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependencies for vulnerabilities, please? #61

Open
ajvincent opened this issue Oct 5, 2024 · 4 comments
Open

Update dependencies for vulnerabilities, please? #61

ajvincent opened this issue Oct 5, 2024 · 4 comments

Comments

@ajvincent
Copy link

I'm considering using esvu for testing my library across several different JavaScript engines, but I'm concerned about the npm audit report.

@ljharb
Copy link

ljharb commented Oct 6, 2024

All of the dependencies are using ^; you can update them in your own lockfile.

Are there any npm audit complaints that require a major upgrade?

@ajvincent
Copy link
Author

# npm audit report

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install esvu@0.1.4, which is a breaking change
node_modules/tar
  esvu  >=1.0.0
  Depends on vulnerable versions of tar
  node_modules/esvu

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

The report states anything less than 6.2.1 is considered vulnerable. esvu's tar dependency is ^5.0.5.

Granted, the sources are probably trusted. Apologies for the delay.

@ajvincent
Copy link
Author

The good news is a quick perusal of the esvu code (src/common.js) and node-tar's documentation implies the upgrade will be compatible.

@devsnek
Copy link
Owner

devsnek commented Oct 15, 2024

these vulnerabilities don't represent any real world problem so this issue is fairly low on my list, but feel free to open a PR updating the deps to your satisfaction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants