decompress-tar vulnerability

[jack1220]

Are you certain it's a bug?

• Yes, it looks like a bug

Is the issue caused by a plugin?

• It is not a plugin issue

Are you using the latest v3 release?

• Yes, I'm using the latest v3 release

Is there an existing issue for this?

• I have searched existing issues, it hasn't been reported yet

Issue description

There is a vulnerability detected (serverless@3.38.0) by Snyk regarding decompress-tar.

Detail paths as below:

• package.json@* › serverless@3.38.0 › @serverless/dashboard-plugin@7.2.0 › @serverless/utils@6.15.0 › decompress@4.2.1 › decompress-tar@4.1.1
• package.json@* › serverless@3.38.0 › @serverless/dashboard-plugin@7.2.0 › @serverless/utils@6.15.0 › decompress@4.2.1 › decompress-tarbz2@4.1.1 › decompress-tar@4.1.1
• package.json@* › serverless@3.38.0 › @serverless/dashboard-plugin@7.2.0 › @serverless/utils@6.15.0 › decompress@4.2.1 › decompress-targz@4.1.1 › decompress-tar@4.1.1

Found the issue raised in decompress but no response yet. Latest release of this decompress was on 2020 Apr.

Possible to replace the decompress referenced in @serverless/utils@6.15.0 with some other library since decompress seems lack of maintenance?

Service configuration (serverless.yml) content

N/A

Command name and used flags

N/A

Command output

N/A

Environment information

Framework Core: 3.38.0 (local) 3.38.0 (global)
Plugin: 7.2.0
SDK: 4.5.1

[astrahan87]

We're also encountering this problem. I saw in a previous issue (#7402) that https://www.npmjs.com/package/adm-zip was mentioned as a possible alternative since decompress seems to be near-abandoned at this point.