How to update tar as a peer dependency to avoid buffer over-read vulnerability?

Asked Mar 30 '23 at 12:37

Active Mar 30 '23 at 12:37

Viewed 39 times

My React application has certain dependencies which have tar package as their peer dependency. The AquaSec/Security Scan reports tar@6.1.11 to have a buffer over-read vulnerability (CVE-2020-8244). The suggested version is said to be tar@6.1.12.

How can I update the tar package to avoid issue related to vulnerability?

This is what I see when I do a npm list tar in my app.

+-- copy-webpack-plugin@6.4.1
| `-- cacache@15.3.0
|   `-- tar@6.1.11
`-- node-sass@8.0.0
  +-- make-fetch-happen@10.2.1
  | `-- cacache@16.1.3
  |   `-- tar@6.1.11  deduped
  `-- node-gyp@8.4.1
    `-- tar@6.1.11  deduped

Also, my package.json don't have tar in the list of dependencies cause it is used as a peer dependency.

asked Mar 30 '23 at 12:37

Federick J

1

Transitive dependencies is the term for this, not peer dependencies, in this case. See the answer on Overrides here: [NPM how to update/upgrade transitive dependencies?](https://stackoverflow.com/questions/56634474/npm-how-to-update-upgrade-transitive-dependencies) – Zac Anger Mar 30 '23 at 12:42

How to update tar as a peer dependency to avoid buffer over-read vulnerability?

0 Answers0