Description
There's currently a chain of dependencies that are creating a security vulnerability. If possible, grunt-contrib-compress should pin to a newer version of archiver (currently @5.0.0).
grunt-contrib-compress pins to archiver at ^1.3.0: https://github.com/gruntjs/grunt-contrib-compress/blob/master/package.json#L19 This version uses tar-stream@^1.5.0: https://github.com/archiverjs/node-archiver/blob/v1.3/package.json#L38 [email protected] uses bl@^1.0.0: https://github.com/mafintosh/tar-stream/blob/17a6500850bab799f0ed6fc03237098b4acbe7de/package.json#L10 There is a current vulnerability in older versions, requiring an upgrade to packages that depend on this. Details here: https://nvd.nist.gov/vuln/detail/CVE-2020-8244