Fix Dependency Vulnerability #11
Conversation
decompress-zip has a vulnerability with high risk (Arbitrary File overwrite) To fix this an update is mandatory
| @@ -23,7 +23,7 @@ | |||
| "rimraf": "~2.1.4" | |||
| }, | |||
| "dependencies": { | |||
| "decompress-zip": "0.3.2", | |||
| "decompress-zip": "^0.3.2", | |||
There was a problem hiding this comment.
This change is made so that upcoming updates >= 0.3.2 <0.4.0 will automatically be installed
|
I was just coming to this repo to make this exact same PR. Thanks for doing it @AstroGD ! |
|
Same here, but it seems that this package is no longer maintained?! |
|
I need this fix as well. Thanks for the work to update it. Hope it gets merged soon. |
|
@zeke , @kevinsawicki , is there any hope to get this PR merged for this inactive package? |
|
Not sure if anyone cares, but I bit the bullet and forked the relevant repos. I didn't publish to npm as I hope this will eventually get resolved but you can just |
|
@bizob2828 Thanks for the effort. Ill try using your version of asar as long as there is no official fix. Did you create a PR for your fixed version at the asar Repo? |
|
It seems this PR is no longer needed as there was an update on this repo, that updated the dependencies. |
decompress-zip has a vulnerability with high risk (Arbitrary File overwrite)
To fix this an update is mandatory
fixes #10
fixes electron/asar#163