The bundled @mapbox/node-pre-gyp includes a vulnerable version of tar

[SimonWilliams-STL]

Would it be possible to build a new version of the package so that the bundled version of tar supplied as part of @mapnox/node-pre-gyp is updated as the version in the current package contains a high severity vulnerability. This causes issues with our CI. It does not appear to be possible to override the version used in our package.json because it is a bundled dependency.

From what I have seen during my investigations, a simple rebuild and publish of this package would solve the problem as the constraints in @mapbox/node-pre-gyp will pick up the fixed version of tar if the package is rebuilt.

[mmomtchev]

No, this dependency cannot be exploited in gdal-async since it is part of the build process. Everyone who has access to the build process already has full access to the entire code.

I refuse to spend any time on this just because an obviously insane person has decided to experiment what works by asking people to post issues on my projects.

[mmomtchev]

For all the onlookers - lately, I have been going through some security advisories on my projects - and Github - who are closely monitoring my activity - have reported this - which means that the Great Combinator decided that this just might work.

[SimonWilliams-STL]

People using your package in the real world have CI/CD pipelines that will not allow packages flagged as containing high severity vulnerabilities through. It should be a simple package rebuild to fix this. If you don't want to rebuild to fix this kind of issue then don't bundle the dependency as then people can use override to update the vulnerable dependency in their system.