hrsakai opened a new pull request #28: Upgrade js-yaml to fix security vulnerability URL: https://github.com/apache/pulsar-client-node/pull/28 upgrade js-yaml from `3.13.0` to `3.13.1`. `tar` package also has security vulnerability, but the latest version of `node-gyp` package(requires `tar` package) still uses a version of `tar` includes security vulnerability. ``` $ npm audit === npm audit security report === # Run npm update js-yaml --depth 6 to resolve 3 vulnerabilities High Code Injection Package js-yaml Dependency of eslint [dev] Path eslint > js-yaml More info https://nodesecurity.io/advisories/813 High Code Injection Package js-yaml Dependency of grunt [dev] Path grunt > js-yaml More info https://nodesecurity.io/advisories/813 High Code Injection Package js-yaml Dependency of jest [dev] Path jest > jest-cli > @jest/core > @jest/reporters > istanbul-api > js-yaml More info https://nodesecurity.io/advisories/813 Manual Review Some vulnerabilities require your attention to resolve Visit https://go.npm.me/audit-guide for additional guidance High Arbitrary File Overwrite Package tar Patched in >=4.4.2 Dependency of node-gyp [dev] Path node-gyp > tar More info https://nodesecurity.io/advisories/803 ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
