node-mksnapshot icon indicating copy to clipboard operation
node-mksnapshot copied to clipboard
verified publisher icon electron-archive

Fix security issue by updating decompress-zip

Open AoDev opened this issue 7 years ago • 5 comments

Got a warning corresponding to this security issue: https://www.npmjs.com/advisories/777

From the issue description:

"For decompress-zip 0.3.x upgrade to 0.3.2 or later."

AoDev avatar Jan 30 '19 18:01 AoDev

Got the same error while using electron-packager. The problem goes back to your package. There is an update available for decompress-zip.

AstroGD avatar Jan 30 '19 21:01 AstroGD

Actually it's a bit weird, this package is under "electron-archive", supposedly for packages that are not maintained anymore.

AoDev avatar Jan 30 '19 23:01 AoDev

Oh, thats not good. But why is it used then if its no longer maintained? This is a potential risk for every program...

AstroGD avatar Jan 31 '19 14:01 AstroGD

Please update the decompress-zip to at least 0.3.2

Until then I have recommended on packages that use this to replace for a maintained package

Orrison avatar Feb 12 '19 07:02 Orrison

@kevinsawicki You were the last person to commit to this repo. Is this issue something you can look into. asar depends on this package, which a LOT of other packages depend on. Should be a quick fix by someone that has push permissions.

ThadHouse avatar Feb 15 '19 06:02 ThadHouse