1.22 is still vulnerable to event-stream vulnerability
ruslan-bikkinin opened this issue · comments
Ruslan Bikkinin commented
1.22 is still depend on vulnerable gulp-untar@0.0.7
, though the fixed version is 0.0.8.
https://github.com/Microsoft/vscode-extension-vscode/blob/master/package-lock.json#L797
https://github.com/Microsoft/vscode-extension-vscode/blob/master/package-lock.json#L801
+-- vscode@1.1.22
| +-- gulp-remote-src-vscode@0.5.1
| | `-- event-stream@3.3.4
| +-- gulp-symdest@1.1.1
| | `-- event-stream@3.3.4
| +-- gulp-untar@0.0.7
Fix in gulp-untar
: jmerrifield/gulp-untar@5e6d136
Benjamin Pasero commented
~/development/vscode-extension-vscode> git describe --tags
1.1.23
~/development/vscode-extension-vscode> npm audit
=== npm audit security report ===
found 0 vulnerabilities
in 893 scanned packages