decompress-tar vulnerability
jack1220 opened this issue · comments
Are you certain it's a bug?
- Yes, it looks like a bug
Is the issue caused by a plugin?
- It is not a plugin issue
Are you using the latest v3 release?
- Yes, I'm using the latest v3 release
Is there an existing issue for this?
- I have searched existing issues, it hasn't been reported yet
Issue description
There is a vulnerability detected (serverless@3.38.0) by Snyk regarding decompress-tar.
Detail paths as below:
- package.json@* › serverless@3.38.0 › @serverless/dashboard-plugin@7.2.0 › @serverless/utils@6.15.0 › decompress@4.2.1 › decompress-tar@4.1.1
- package.json@* › serverless@3.38.0 › @serverless/dashboard-plugin@7.2.0 › @serverless/utils@6.15.0 › decompress@4.2.1 › decompress-tarbz2@4.1.1 › decompress-tar@4.1.1
- package.json@* › serverless@3.38.0 › @serverless/dashboard-plugin@7.2.0 › @serverless/utils@6.15.0 › decompress@4.2.1 › decompress-targz@4.1.1 › decompress-tar@4.1.1
Found the issue raised in decompress but no response yet. Latest release of this decompress was on 2020 Apr.
Possible to replace the decompress referenced in @serverless/utils@6.15.0 with some other library since decompress seems lack of maintenance?
Service configuration (serverless.yml) content
N/A
Command name and used flags
N/A
Command output
N/A
Environment information
Framework Core: 3.38.0 (local) 3.38.0 (global)
Plugin: 7.2.0
SDK: 4.5.1
We're also encountering this problem. I saw in a previous issue (#7402) that https://www.npmjs.com/package/adm-zip was mentioned as a possible alternative since decompress
seems to be near-abandoned at this point.