Commit 5edde86
committed
Ignore tar CVEs for about 1 week
We have investigated the uses of the tar dependency and found two use
cases of it in our code base's supply chain:
- electron-builder
- grpc-tools (from their use of @mapbox-node-pre-gyp)
Currently the tar dependency update has not traversed all through the
supply chain in the packages we depend on. electron-builder and their
supply chain was very fast to bump the dependency, but it seems like
@mapbox/node-pre-gyp do not currently have an update available,
currently. A draft PR does exist though.
Link to draft PR for @mapbox/node-pre-gyp tar upgrade:
mapbox/node-pre-gyp#933
When this has been patched we should update immediately.
---
Extended reasoning on ignoring the vulnerable dependency:
The vulnerable tar dependency does not handle arbitrary tar files, as
it is only used by grpc-tools. Unless the specific tar file,
corresponding to the version of grpc-tools we depend on, is compromised
then an attack is not possible.
The tar file is hosted on Github's package repository and for an attack
to be possibe either the grpc-tools team or Github's package
repostitory must be compromised, which currently seems unlikely.
However, even if unlikely we still want to ensure that we can protect
against this attack and if a patch hasn't been made available at the
end of this ignore period we will want to investigate other forms of
mitigation.1 parent 7b1270e commit 5edde86
1 file changed
+12
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
6 | 6 | | |
7 | 7 | | |
8 | 8 | | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
0 commit comments