1.22 is still vulnerable to event-stream vulnerability

Question

1.22 is still vulnerable to event-stream vulnerability

ruslan-bikkinin opened this issue 6 years ago · comments

1.22 is still depend on vulnerable gulp-untar@0.0.7, though the fixed version is 0.0.8.

https://github.com/Microsoft/vscode-extension-vscode/blob/master/package-lock.json#L797
https://github.com/Microsoft/vscode-extension-vscode/blob/master/package-lock.json#L801

+-- vscode@1.1.22
| +-- gulp-remote-src-vscode@0.5.1
| | `-- event-stream@3.3.4
| +-- gulp-symdest@1.1.1
| | `-- event-stream@3.3.4
| +-- gulp-untar@0.0.7

Fix in gulp-untar: jmerrifield/gulp-untar@5e6d136

Commit history:

Benjamin Pasero · Answer 1 · Tue Dec 04 2018 19:10:22 GMT+0800 (China Standard Time)

~/development/vscode-extension-vscode> git describe --tags
1.1.23
~/development/vscode-extension-vscode> npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
found 0 vulnerabilities
 in 893 scanned packages