tfjs-node - upgrade tar >=6.2.1
crisward opened this issue · comments
I've been receiving this moderate security error for a while
npm audit
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
@tensorflow/tfjs-node >=0.1.12
Depends on vulnerable versions of tar
node_modules/@tensorflow/tfjs-node
Hopefully as simple as updating the dependency and releasing a patched version to npm.
Hi, @crisward
We sincerely apologize for the delay in our response. We appreciate you bringing this important issue to our attention.
We've identified that the @tensorflow/tfjs-node package currently specifies a dependency on "tar": "^4.4.6"
. To address a known security vulnerability detailed in this GitHub security advisory: GHSA-f5x3-32g6-xq36, we'll need to update the tar
dependency to a version greater than or equal to 6.2.1
.
Our team is actively discussing this update and we will implement a fix shortly. We truly value your time and appreciate you helping us maintain a secure environment.
Thank you for your cooperation and patience.