Electron-packager: Update asar dependency to 1.0.0
- [x] I have read the contribution documentation for this project.
- [x] I agree to follow the code of conduct that this project follows, as appropriate.
- [x] I have searched the issue tracker for an issue that matches the one I want to file, without success.
Please describe your issue:
asar 1.0.0 now has updated dependencies without which a high level "Arbitrary File Overwrite" vulnerability is present.
The dependency path to this vulnerability is electron-packager > asar > mksnapshot > decompress-zip and it described here: https://www.npmjs.com/advisories/777
asar 1.0.0 was just updated to remove dependency of mksnapshot so the vulnerability is no longer present in the no longer maintained decompress-zip
Orrison
All 3 comments
馃憢 Thanks for opening your first issue here! If you have a question about using Electron Packager, read the support docs. If you're reporting a 馃悶 bug, please make sure you include steps to reproduce it. Development and issue triage is community-driven, so please be patient and we will get back to you as soon as we can.
To help make it easier for us to investigate your issue, please follow the contributing guidelines.
![welcome[bot] picture](https://avatars0.githubusercontent.com/in/4141?v=4&s=40)
welcome[bot]
on 19 Feb 2019
Yes, I was part of getting asar to 1.0.0. I plan on doing it when I have some free time.
malept
on 19 Feb 2019
Also, I plan on adding dependabot to this repository, so for future reference to visitors to this repository, issues asking for dependency version updates are not necessary.
malept
on 19 Feb 2019
Related issues
pushkin-
路
4Comments
quadrophobiac
路
4Comments
akcorp2003
路
4Comments
ghost
路
3Comments
Bharwcb
路
5Comments
Most helpful comment
Also, I plan on adding dependabot to this repository, so for future reference to visitors to this repository, issues asking for dependency version updates are not necessary.