Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vuln with [email protected] #226

Open
imbrianj opened this issue Sep 3, 2020 · 0 comments
Open

Security vuln with [email protected] #226

imbrianj opened this issue Sep 3, 2020 · 0 comments

Comments

@imbrianj
Copy link

imbrianj commented Sep 3, 2020

There's currently a chain of dependencies that are creating a security vulnerability. If possible, grunt-contrib-compress should pin to a newer version of archiver (currently @5.0.0).

grunt-contrib-compress pins to archiver at ^1.3.0: https://github.com/gruntjs/grunt-contrib-compress/blob/master/package.json#L19 This version uses tar-stream@^1.5.0: https://github.com/archiverjs/node-archiver/blob/v1.3/package.json#L38 [email protected] uses bl@^1.0.0: https://github.com/mafintosh/tar-stream/blob/17a6500850bab799f0ed6fc03237098b4acbe7de/package.json#L10 There is a current vulnerability in older versions, requiring an upgrade to packages that depend on this. Details here: https://nvd.nist.gov/vuln/detail/CVE-2020-8244
bendman added a commit to bendman/grunt-contrib-compress that referenced this issue Sep 14, 2020
@bendman
fix security issue with old bl subdependency
f0a31a0 
by bumping archiver dependency to latest

gruntjs#226
@bendman bendman mentioned this issue Sep 14, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@imbrianj