node-jq [Security] Vulnable library brought in -> decompress-tar@4.1.1

Seems the latest version of node-jq (2.3.5) ends up bringing in the vulnerable library [email protected]. More details about this vulnerability here - https://security.snyk.io/package/npm/decompress-tar

The complete dependency tree is:

dependencies: node-jq 2.3.5 └─┬ bin-build 3.0.0 ├─┬ decompress 4.2.1 │ ├── decompress-tar 4.1.1 │ ├─┬ decompress-tarbz2 4.1.1 │ │ └── decompress-tar 4.1.1 │ └─┬ decompress-targz 4.1.1 │ └── decompress-tar 4.1.1 └─┬ download 6.2.5 └─┬ decompress 4.2.1 ├── decompress-tar 4.1.1 ├─┬ decompress-tarbz2 4.1.1 │ └── decompress-tar 4.1.1 └─┬ decompress-targz 4.1.1 └── decompress-tar 4.1.1

Please consider changing the dependency tree so [email protected] is not used

Feb 01 '23 13:02 mlawrence999

Is anyone looking into the issue?

Feb 10 '23 12:02 dmtrs

Was able to work around this for the time being:

package.json:

  "overrides": {
    "node-jq": {
      "bin-build": "github:brave/bin-build#modernize"
    }
  }

Apr 17 '23 02:04 kitschpatrol

Thanks for opening the issue @mlawrence999 and sorry for the late response.

As you can see, node-jq doesn't depend on bin-build at runtime, so this security vulnerability doesn't happen if you use node-jq as expected.

It's always nice to keep security vulnerabilities to 0, even thought are not affecting any user. The dependency that we should keep the issue open is https://github.com/kevva/bin-build

As @kitschpatrol suggests, please override with a dependency that this is fixed. I won't release a node-jq version pointing to a github repo since this can be a vector attack

Aug 07 '23 07:08 davesnx

[Security] Vulnable library brought in -> [email protected]