tfjs-node - upgrade tar >=6.2.1

[crisward]

trafficstars

I've been receiving this moderate security error for a while

  npm audit
  tar  <6.2.1
  Severity: moderate
  Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
  @tensorflow/tfjs-node  >=0.1.12
  Depends on vulnerable versions of tar
  node_modules/@tensorflow/tfjs-node

Hopefully as simple as updating the dependency and releasing a patched version to npm.

[gaikwadrahul8]

Hi, @crisward

We sincerely apologize for the delay in our response. We appreciate you bringing this important issue to our attention.

We've identified that the @tensorflow/tfjs-node package currently specifies a dependency on "tar": "^4.4.6". To address a known security vulnerability detailed in this GitHub security advisory: https://github.com/isaacs/node-tar/security/advisories/GHSA-f5x3-32g6-xq36, we'll need to update the tar dependency to a version greater than or equal to 6.2.1.

Our team is actively discussing this update and we will implement a fix shortly. We truly value your time and appreciate you helping us maintain a secure environment.

Thank you for your cooperation and patience.

[gaikwadrahul8]

Hi, @crisward

I'm pleased to inform you that pull request https://github.com/tensorflow/tfjs/pull/8280 addressing the reported issue has been merged. Our team is actively working on releasing patched versions for both @tensorflow/tfjs-node and @tensorflow/tfjs-node-gpu to npm. We anticipate the release to occur soon. Consequently, I'm closing this issue now.

Thank you for your cooperation and patience throughout this process.

[google-ml-butler[bot]]

Are you satisfied with the resolution of your issue? Yes No