aligent-lturner opened a new issue, #123: URL: https://github.com/apache/openwhisk-wskdebug/issues/123
As per `npm audit`, the dependency on version ^3.2.0 of `dockerode` means that a vulnerable version of `tar-fs` gets installed. ``` # npm audit report tar-fs 2.0.0 - 2.1.3 Severity: high tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball - https://github.com/advisories/GHSA-vj76-c3g6-qr5v tar-fs can extract outside the specified dir with a specific tarball - https://github.com/advisories/GHSA-8cj5-5rvv-wf4v tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File - https://github.com/advisories/GHSA-pq67-2wwv-3xjx fix available via `npm audit fix --force` Will install @openwhisk/[email protected], which is a breaking change node_modules/tar-fs dockerode 3.0.0 - 4.0.4 Depends on vulnerable versions of tar-fs node_modules/dockerode @openwhisk/wskdebug >=1.3.0 Depends on vulnerable versions of dockerode node_modules/@openwhisk/wskdebug 3 high severity vulnerabilities ``` Here is the advisory for `tar-fs` https://github.com/advisories/GHSA-pq67-2wwv-3xjx -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
