Vulnerability in chownr introduced through tar

[imtbl]

chownr has a TOCTOU vulnerability that apparently can't be fixed without an addition to Node.js itself.

It's introduced to better-sqlite3 through tar.

As far as I can see it, tar is only used here to extract sqlite3 itself that's bundled here.

Do you see any way to get rid of tar and therefore the vulnerability (maybe not bundling it into a tarball but a different format – if there is any that can be used in Node.js without requiring a different library that depends on chownr, that is)?

Edit: To clarify, I realize the vulnerability probably couldn't be exploited in this use case anyway, but if there was an easy way to get rid of it, I would prefer that. If only so that projects depending on better-sqlite3 don't have the vulnerability showing up on Snyk or other platforms and don't have to manually ignore them for builds to succeed.

[JoshuaWise]

I can't think of an easy alternative in the moment, but I'll look into this.

For others reading this, note that there's no real vulnerability since the tar package is only used for installation purposes.

[imtbl]

Quick heads up: Snyk no longer considers this a vulnerability of chownr, likely due to this explanation.

Therefore, it also no longer shows up as vulnerability when using better-sqlite3.

Closing this issue.