diff --git a/node_modules/bl/bl.js b/node_modules/bl/bl.js
index e0eef85a3b67c..3e5512790cd77 100644
--- a/node_modules/bl/bl.js
+++ b/node_modules/bl/bl.js
@@ -185,18 +185,22 @@ BufferList.prototype.copy = function copy (dst, dstStart, srcStart, srcEnd) {
 
     if (bytes > l) {
       this._bufs[i].copy(dst, bufoff, start)
+      bufoff += l
     } else {
       this._bufs[i].copy(dst, bufoff, start, start + bytes)
+      bufoff += l
       break
     }
 
-    bufoff += l
     bytes -= l
 
     if (start)
       start = 0
   }
 
+  // safeguard so that we don't return uninitialized memory
+  if (dst.length > bufoff) return dst.slice(0, bufoff)
+
   return dst
 }
 
@@ -232,6 +236,11 @@ BufferList.prototype.toString = function toString (encoding, start, end) {
 }
 
 BufferList.prototype.consume = function consume (bytes) {
+  // first, normalize the argument, in accordance with how Buffer does it
+  bytes = Math.trunc(bytes)
+  // do nothing if not a positive number
+  if (Number.isNaN(bytes) || bytes <= 0) return this
+
   while (this._bufs.length) {
     if (bytes >= this._bufs[0].length) {
       bytes -= this._bufs[0].length
diff --git a/node_modules/bl/package.json b/node_modules/bl/package.json
index 85611a6cb5c47..3dbbf698d2bae 100644
--- a/node_modules/bl/package.json
+++ b/node_modules/bl/package.json
@@ -1,27 +1,29 @@
 {
-  "_from": "bl@^3.0.0",
-  "_id": "bl@3.0.0",
+  "_from": "bl@3.0.1",
+  "_id": "bl@3.0.1",
   "_inBundle": false,
-  "_integrity": "sha512-EUAyP5UHU5hxF8BPT0LKW8gjYLhq1DQIcneOX/pL/m2Alo+OYDQAJlHq+yseMP50Os2nHXOSic6Ss3vSQeyf4A==",
+  "_integrity": "sha512-jrCW5ZhfQ/Vt07WX1Ngs+yn9BDqPL/gw28S7s9H6QK/gupnizNzJAss5akW20ISgOrbLTlXOOCTJeNUQqruAWQ==",
   "_location": "/bl",
   "_phantomChildren": {},
   "_requested": {
-    "type": "range",
+    "type": "version",
     "registry": true,
-    "raw": "bl@^3.0.0",
+    "raw": "bl@3.0.1",
     "name": "bl",
     "escapedName": "bl",
-    "rawSpec": "^3.0.0",
+    "rawSpec": "3.0.1",
     "saveSpec": null,
-    "fetchSpec": "^3.0.0"
+    "fetchSpec": "3.0.1"
   },
   "_requiredBy": [
+    "#DEV:/",
+    "#USER",
     "/tar-stream"
   ],
-  "_resolved": "https://registry.npmjs.org/bl/-/bl-3.0.0.tgz",
-  "_shasum": "3611ec00579fd18561754360b21e9f784500ff88",
-  "_spec": "bl@^3.0.0",
-  "_where": "/Users/aeschright/code/cli/node_modules/tar-stream",
+  "_resolved": "https://registry.npmjs.org/bl/-/bl-3.0.1.tgz",
+  "_shasum": "1cbb439299609e419b5a74d7fce2f8b37d8e5c6f",
+  "_spec": "bl@3.0.1",
+  "_where": "/Users/darcyclarke/Documents/Repos/npm/npm/cli",
   "authors": [
     "Rod Vagg <rod@vagg.org> (https://github.com/rvagg)",
     "Matteo Collina <matteo.collina@gmail.com> (https://github.com/mcollina)",
@@ -58,5 +60,5 @@
   "scripts": {
     "test": "node test/test.js | faucet"
   },
-  "version": "3.0.0"
+  "version": "3.0.1"
 }
diff --git a/node_modules/bl/test/test.js b/node_modules/bl/test/test.js
index 1da0293b6d146..d8e552d8a8148 100644
--- a/node_modules/bl/test/test.js
+++ b/node_modules/bl/test/test.js
@@ -431,6 +431,22 @@ tape('test toString encoding', function (t) {
   t.end()
 })
 
+tape('uninitialized memory', function (t) {
+  const secret = crypto.randomBytes(256)
+  for (let i = 0; i < 1e6; i++) {
+    const clone = Buffer.from(secret)
+    const bl = new BufferList()
+    bl.append(Buffer.from('a'))
+    bl.consume(-1024)
+    const buf = bl.slice(1)
+    if (buf.indexOf(clone) !== -1) {
+      t.fail(`Match (at ${i})`)
+      break
+    }
+  }
+  t.end()
+})
+
 !process.browser && tape('test stream', function (t) {
   var random = crypto.randomBytes(65534)
     , rndhash = hash(random, 'md5')
diff --git a/package-lock.json b/package-lock.json
index b8eafd53470c8..6269cc2828097 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -440,9 +440,9 @@
       "dev": true
     },
     "bl": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/bl/-/bl-3.0.0.tgz",
-      "integrity": "sha512-EUAyP5UHU5hxF8BPT0LKW8gjYLhq1DQIcneOX/pL/m2Alo+OYDQAJlHq+yseMP50Os2nHXOSic6Ss3vSQeyf4A==",
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/bl/-/bl-3.0.1.tgz",
+      "integrity": "sha512-jrCW5ZhfQ/Vt07WX1Ngs+yn9BDqPL/gw28S7s9H6QK/gupnizNzJAss5akW20ISgOrbLTlXOOCTJeNUQqruAWQ==",
       "dev": true,
       "requires": {
         "readable-stream": "^3.0.1"
diff --git a/package.json b/package.json
index ec70f0099f79c..75653657f2a44 100644
--- a/package.json
+++ b/package.json
@@ -275,6 +275,7 @@
     "write-file-atomic"
   ],
   "devDependencies": {
+    "bl": "^3.0.1",
     "deep-equal": "^1.0.1",
     "get-stream": "^4.1.0",
     "licensee": "^7.0.3",