surge icon indicating copy to clipboard operation
surge copied to clipboard

Published 20 hours ago verified publisher icon sintaxi

⚠️ WARNING ⚠️ tar.gz module has been deprecated and your application is vulnerable

Open pizzarob opened this issue 7 years ago • 10 comments

ALERT: npm WARN deprecated [email protected]: ⚠️ WARNING ⚠️ tar.gz module has been deprecated and your application is vulnerable. Please use tar module instead: https://npmjcom/tar

pizzarob avatar Nov 09 '17 19:11 pizzarob

@sintaxi @djanowski I have this issue reported on the ember-cli-surge project also. https://github.com/kiwiupover/ember-cli-surge/issues/104

I believe the issue is related to security too.

kiwiupover avatar Nov 15 '17 17:11 kiwiupover

Any movement on this? Any project that uses surge, even just for its demo app, is going to cause concern among developers when they see a giant security warning on github due to this dependency.

elwayman02 avatar Jan 07 '18 08:01 elwayman02

I have these fixed here, but npm test:local is failing, so I'm hesitant to make a pull request.

sa-mm avatar Jan 16 '18 16:01 sa-mm

Might as well make a PR and see if it passes in CI. Could be a local issue.

elwayman02 avatar Jan 16 '18 19:01 elwayman02

Thanks for talking a look at this. Ill have a peak at your branch. I have a fairly big release in the works. Ill make sure a fix for this issue gets included.

sintaxi avatar Jan 17 '18 02:01 sintaxi

Thanks for talking a look at this. Ill have a peak at your branch. I have a fairly big release in the works. Ill make sure a fix for this issue gets included.

@sintaxi Is it possible to clone the repo, merge the PR, and do a patch release? Then at a later point, do your big release?

As right now, any project that has surge as a dep or dev dep, is getting security notifications from github delivered to the maintainers of the repos.

So getting this fixed immediately would save a lot of time for all the devs that depend on your package.

balupton avatar Jan 24 '18 12:01 balupton

Any update on this?

elwayman02 avatar Feb 15 '18 07:02 elwayman02

Just to emphasise the annoyance of this. I have dozens of repos that have surge as a dev dep. And for each update posted for them, myself and the other maintainers get these alerts:

screen shot 2018-02-15 at 5 44 48 pm screen shot 2018-02-15 at 5 44 55 pm screen shot 2018-02-15 at 5 47 26 pm screen shot 2018-02-15 at 5 45 27 pm

If you are new to this error, it takes about 5-15 minutes to debug that the cause is surge.

Multiply this by each surge user.

balupton avatar Feb 15 '18 09:02 balupton

Working hard on getting this release ready and I agree this is very annoying. Please air your grievances with github because this warning is a false positive and unnecessary in the context of how surge uses the tar lib. Github is overreaching and its extremely frustrating as a library author.

sintaxi avatar Feb 15 '18 10:02 sintaxi

@sintaxi I understand, much love to all open-source maintainers ❤️

balupton avatar Feb 15 '18 10:02 balupton