tfjs-node - upgrade tar >=6.2.1 #8261

crisward · 2024-04-25T20:03:53Z

I've been receiving this moderate security error for a while

  npm audit
  tar  <6.2.1
  Severity: moderate
  Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
  @tensorflow/tfjs-node  >=0.1.12
  Depends on vulnerable versions of tar
  node_modules/@tensorflow/tfjs-node

Hopefully as simple as updating the dependency and releasing a patched version to npm.

The text was updated successfully, but these errors were encountered:

gaikwadrahul8 · 2024-04-29T11:25:00Z

Hi, @crisward

We sincerely apologize for the delay in our response. We appreciate you bringing this important issue to our attention.

We've identified that the @tensorflow/tfjs-node package currently specifies a dependency on "tar": "^4.4.6". To address a known security vulnerability detailed in this GitHub security advisory: GHSA-f5x3-32g6-xq36, we'll need to update the tar dependency to a version greater than or equal to 6.2.1.

Our team is actively discussing this update and we will implement a fix shortly. We truly value your time and appreciate you helping us maintain a secure environment.

Thank you for your cooperation and patience.

crisward added the type:bug Something isn't working label Apr 25, 2024

gaikwadrahul8 self-assigned this Apr 27, 2024

gaikwadrahul8 added the comp:node.js label Apr 27, 2024

gaikwadrahul8 added the stat:awaiting tensorflower label Apr 29, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

tfjs-node - upgrade tar >=6.2.1 #8261

tfjs-node - upgrade tar >=6.2.1 #8261

crisward commented Apr 25, 2024

gaikwadrahul8 commented Apr 29, 2024 •

edited

tfjs-node - upgrade tar >=6.2.1 #8261

tfjs-node - upgrade tar >=6.2.1 #8261

Comments

crisward commented Apr 25, 2024

gaikwadrahul8 commented Apr 29, 2024 • edited

gaikwadrahul8 commented Apr 29, 2024 •

edited