pg-query-parser icon indicating copy to clipboard operation
pg-query-parser copied to clipboard

Published 20 hours ago verified publisher icon zhm

Fix 'Arbitrary File Overwrite' high priority NPM vulnerability

Open whatl3y opened this issue 6 years ago • 1 comments

I know there's an open issue asking if this package is being maintained, but this issue will be to simply document the high priority vulnerability of a dependency of this package.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ MYPRIVATEPACKAGE                                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ MYPRIVATEPACKAGE > pg-query-parser > pg-query-native >       │
│               │ node-gyp > tar                                               │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/803                             │
└───────────────┴──────────────────────────────────────────────────────────────┘

whatl3y avatar May 07 '19 18:05 whatl3y

https://www.npmjs.com/advisories/803

I'm maintaining a fork that the community is using (https://github.com/pyramation/pgsql-parser)

So this looks like pg-query-native would need to update node-gyp version?

pyramation avatar Jun 04 '20 23:06 pyramation