You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been receiving this moderate security error for a while
npm audit
tar <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
@tensorflow/tfjs-node >=0.1.12
Depends on vulnerable versions of tar
node_modules/@tensorflow/tfjs-node
Hopefully as simple as updating the dependency and releasing a patched version to npm.
The text was updated successfully, but these errors were encountered:
We sincerely apologize for the delay in our response. We appreciate you bringing this important issue to our attention.
We've identified that the @tensorflow/tfjs-node package currently specifies a dependency on "tar": "^4.4.6". To address a known security vulnerability detailed in this GitHub security advisory: GHSA-f5x3-32g6-xq36, we'll need to update the tar dependency to a version greater than or equal to 6.2.1.
Our team is actively discussing this update and we will implement a fix shortly. We truly value your time and appreciate you helping us maintain a secure environment.
I'm pleased to inform you that pull request #8280 addressing the reported issue has been merged. Our team is actively working on releasing patched versions for both @tensorflow/tfjs-node and @tensorflow/tfjs-node-gpu to npm. We anticipate the release to occur soon. Consequently, I'm closing this issue now.
Thank you for your cooperation and patience throughout this process.
I've been receiving this moderate security error for a while
Hopefully as simple as updating the dependency and releasing a patched version to npm.
The text was updated successfully, but these errors were encountered: