Upgrade `appmetrics` to latest version

[hsandovalskytap]

Hello,

recently we noticed there is a security vulnerability in node-tar which is being used by one of your dependencies, appmetrics

└─┬ strong-supervisor@6.2.0 └─┬ appmetrics@3.1.3 └── tar@2.2.1

appmetrics has already addressed the problem but you would need to upgrade to the latest version, appmetrics@4.0.1.

Could you help us out upgrading appmetrics to the latest version?

[sam-github]

I'm not sure who is maintaining this anymore. That said:

1. test don't pass with appmetrics@4. This could be related to appmetrics, or not, and it doesn't have a changelog (that I found).
2. the vulnerabilities in node-tar are irrelevant to appmetrics. The vulnnerability affects using node-tar to untar user-provided tarballs (which could have poison data). Appmetrics uses tar only sometimes, and always to untar tarballs that are part of its distribution.

[scottbrady]

Hello! Is there an ETA to remediate the advisory on this package? npm/yarn audit is showing a vulnerability for this package's dependency.

┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strong-supervisor                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ strong-supervisor > appmetrics > tar                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/803                         │
└───────────────┴──────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ high          │ Arbitrary File Overwrite                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tar                                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=4.4.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ strong-supervisor                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ strong-supervisor > appmetrics-dash > appmetrics > tar       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/803                         │
└───────────────┴──────────────────────────────────────────────────────────────┘

Thanks!

[smartmouse]

yes, can we upped to appmetrics dependencies to latest version which is 5.x?
Got into some issues with installing the appmetrics@3.x on windows.