Dependency "tar" - high severity vulnerability

[NickThompson1993]

npm is reporting that the "tar" (gulp-sass > node-sass > node-gyp > tar) dependency version is vulnerable to Arbitrary File Overwrite. https://nodesecurity.io/advisories/803

This issue only affects tar <4.4.2, would it be possible to update Gulp-Sass's dependency to a more recent version to prevent this?

Many thanks

[stof]

this is currently being worked on by the node-gyp team: nodejs/node-gyp#1713

gulp-sass does not directly uses tar, so cannot fix it itself.

[RobertAKARobin]

@stof Looks like node-gyp merged the fix.

[stof]

@RobertAKARobin they currently merged it only in the master branch, which is the dev version of the upcoming 4.0.
There is no release containing the fix yet. The work on backporting it to their 3.8 branch to create a patch 3.8.1 release is in progress in nodejs/node-gyp#1718

[xzyfer]

Tracking in sass/node-sass#2625.

Locking this issue in the mean time.

[xzyfer]

node-tar released a fix. Run npm update node-tar to resolve the npm audit warnings.