tfjs-node - upgrade tar >=6.2.1

Question

tfjs-node - upgrade tar >=6.2.1

crisward opened this issue 5 months ago · comments

I've been receiving this moderate security error for a while

  npm audit
  tar  <6.2.1
  Severity: moderate
  Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
  @tensorflow/tfjs-node  >=0.1.12
  Depends on vulnerable versions of tar
  node_modules/@tensorflow/tfjs-node

Hopefully as simple as updating the dependency and releasing a patched version to npm.

gaikwadrahul8 · Answer 1 · Mon Apr 29 2024 19:25:00 GMT+0800 (China Standard Time)

Hi, @crisward

We sincerely apologize for the delay in our response. We appreciate you bringing this important issue to our attention.

We've identified that the @tensorflow/tfjs-node package currently specifies a dependency on "tar": "^4.4.6". To address a known security vulnerability detailed in this GitHub security advisory: GHSA-f5x3-32g6-xq36, we'll need to update the tar dependency to a version greater than or equal to 6.2.1.

Our team is actively discussing this update and we will implement a fix shortly. We truly value your time and appreciate you helping us maintain a secure environment.

Thank you for your cooperation and patience.