-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade tar
to address security vulnerability
#713
Conversation
tar
to address security vulnerabilitytar
to address security vulnerability
Please insert the line |
@@ -24,6 +24,7 @@ install: | |||
- IF /I "%PLATFORM%" == "x64" CALL "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" amd64 | |||
- IF /I "%PLATFORM%" == "x86" CALL "C:\Program Files (x86)\Microsoft Visual Studio 14.0\VC\vcvarsall.bat" x86 | |||
- npm ci | |||
- npm run update-crosswalk |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great! Now set lines 5 thru 7 of appveyor.yml
to
- nodejs_version: 18
- nodejs_version: 20
- nodejs_version: 22
to match https://nodejs.org/en/about/previous-releases#release-schedule and your tests should be green. ✅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tests would be green because of the newer Node versions, but are you sure I should remove the older versions from the tests?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, it did not pass for Node 20 and 21.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks like there's an explanation for that here: https://github.com/mapbox/node-pre-gyp/pull/712/files#diff-92ab9a36df5d8e9f7076f2fdec59492d1ac2d9cf27ea046767a7fc4d542ef3dcR11
I'm out of my depth here, but just to say we're seeing pressure to also update our packages because of the above tar dependancy. |
@bensquire I would recommend dropping |
Thanks @cclauss. Will look at what I need to tear out in turn :) |
- nodejs_version: 14 | ||
- nodejs_version: 18 | ||
- nodejs_version: 20 | ||
- nodejs_version: 21 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
node 22 is out now
- nodejs_version: 21 | |
- nodejs_version: 22 |
Git conflicts -- Please rebase. |
Upgrade the
tar
dependency to the latest v7.0.1 to address the following security issue:GHSA-f5x3-32g6-xq36