Skip to content
This repository has been archived by the owner on Jan 3, 2022. It is now read-only.

Fixes npm securtity warning of package tar #20

Merged
merged 3 commits into from
May 7, 2019
Merged

Conversation

csalmeida
Copy link
Owner

The issue #19, is related with dependencies used by gulp-sass. This PR updates package-lock.json changing the version of tar from v2 to v4.4.2, required to remove the warning.

The issue is also documented on other repos:

The warning would show as follows:

                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ gulp-sass [dev]                                              │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ gulp-sass > node-sass > node-gyp > tar                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 6938 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Running npm audit after updating the package should return:

                                                                                
                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities
in 6918 scanned packages

csalmeida added 3 commits May 7, 2019 11:58
A screenshot of Deutera One to be used in the readme.
Necessary to remove npm security vulnerabilities #19.
@csalmeida csalmeida requested a review from kellycopas May 7, 2019 12:16
@csalmeida csalmeida self-assigned this May 7, 2019
Copy link
Collaborator

@kellycopas kellycopas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@csalmeida csalmeida requested a review from kellycopas May 7, 2019 13:36
Copy link
Collaborator

@kellycopas kellycopas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK 👍

@csalmeida csalmeida requested a review from kellycopas May 7, 2019 14:00
Copy link
Collaborator

@kellycopas kellycopas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@csalmeida csalmeida merged commit e8c70d2 into master May 7, 2019
@csalmeida csalmeida deleted the security-tar-fix branch May 7, 2019 17:30
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants