grunt-aws-lambda icon indicating copy to clipboard operation
grunt-aws-lambda copied to clipboard
verified publisher icon Tim-B

Old npm version has security vulnerabilities - update to ~> v7.0.0

Open kannapples opened this issue 4 years ago • 0 comments

This package is running a really old version of npm (2.15.12 while current is 7.24.0), which has a known security vulnerability in its dependencies.

One of my projects received a dependabot security warning about tar package versions below 4.4.16. This package is currently using tar 2.2.1 through the npm package.

image

I tracked the minimum npm version required to plug this security hole: v7.0.0

  • node-gyp needs to be at least v7.0.0 to pull in this commit which upgrades the tar version to ~> 4.4.16.
  • npm removes the outdated node-gyp dependency and has a secure tar version in this commit, which is part of the v7.0.0 release: https://github.com/npm/cli/blob/v7.0.0/package.json

kannapples avatar Sep 21 '21 19:09 kannapples