updated tar package version to 4.4.8

[MaksPob]

Checklist

• npm install && npm test passes
• commit message follows commit guidelines

Description of change

I updated tar package version in which there were vulnerabilities:
About vulnerability: https://app.snyk.io/vuln/SNYK-JS-TAR-174125

Reviewers

@TooTallNate

[stof]

should package-lock.json actually be committed ? It is not until now.

[stof]

AFAICT, the only BC break in v4 is isaacs/node-tar@a22932a

[stof]

shouldn't this be patched in the 3.x to be able to have it in a 3.8.1 release ?

[jimmybrawn]

pls merge

[refack]

CI: https://ci.nodejs.org/job/nodegyp-test-pull-request/118/ ✔️

[iansltx]

/me follows thread so he'll know when 3.8.1 is tagged, to unblock builds 'n' stuff

[stevendarby]

When might this be released?

[refack]

Running CI for v3.x branch - https://ci.nodejs.org/job/nodegyp-test-pull-request/119/ ❌

[refack]

CI for v3.x fails. Could someone backport this? I'll try to publish as soon as we get tests to pass.

/home/iojs/build/workspace/nodegyp-test-commit/nodes/ubuntu1604-64/lib/install.js:152
        , extracter = tar.Extract({ path: devDir, strip: 1, filter: isValid })
                          ^

TypeError: tar.Extract is not a function
    at /home/iojs/build/workspace/nodegyp-test-commit/nodes/ubuntu1604-64/lib/install.js:152:27
    at /home/iojs/build/workspace/nodegyp-test-commit/nodes/ubuntu1604-64/node_modules/mkdirp/index.js:30:20
    at FSReqWrap.oncomplete (fs.js:135:15)

[jaredbeck]

Gotta love it when you apply a security patch to your dependency (in this case, tar) and it includes breaking changes (TypeError: tar.Extract is not a function). </sarcasm>

-  "tar": "^3.1.3",
+  "tar": "^4.4.8",

tar isn't going to backport the security patch to the 3-series, huh?

[richardlau]

Gotta love it when you apply a security patch to your dependency (in this case, tar) and it includes breaking changes (TypeError: tar.Extract is not a function). </sarcasm>

-  "tar": "^3.1.3",
+  "tar": "^4.4.8",

tar isn't going to backport the security patch to the 3-series, huh?

tar.Extract was removed in tar@3. node-gyp@3.8.0 is still using tar@2

node-gyp/package.json

Line 35 in e6699d1

"tar": "^2.0.0",

When we bumped tar to 3 (#1212) it was deemed a breaking change so it was made on master but not the v3.x branch. It was breaking for Node.js v0.10 and Node.js v0.12 which are long out of support, so maybe we can reconsider that decision? cc @nodejs/node-gyp

[mstubna]

@richardlau confirmed that porting the changes from #1212 into the v3.x branch makes all the tests pass

[ebmeierj]

Any idea when this will be released? All of our CI builds are complaining about the vulnerability.

[stof]

@ebmeierj see #1718 for the work on bring that in the 3.x codebase (currently, it is merged only in master, which is the WIP of 4.0)

[smity81435]

Seems that a lot of people are having this issue (myself included)... I suppose you could say they are stuck on the tar?

[samabp]

@smity81435 Yes that is where I am stuck.

[iwaduarte]

Is there anything that we could in order to (at least) temporarily fix this ?

[jimmybrawn]

Change your package-lock and use `npm ci` to install your deps

…

On Fri, 26 Apr 2019, 13:21 iwaduarte, ***@***.***> wrote: Is there anything that we could in order to temporarily fix this ? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1713 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA4MKIWDTZLONOIWN6LQGVDPSLQSTANCNFSM4HEGUDDQ> .

[jaysunwalter123]

Change your package-lock and use npm ci to install your deps
…
On Fri, 26 Apr 2019, 13:21 iwaduarte, @.***> wrote: Is there anything that we could in order to temporarily fix this ? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#1713 (comment)>, or mute the thread https://github.com/notifications/unsubscribe-auth/AA4MKIWDTZLONOIWN6LQGVDPSLQSTANCNFSM4HEGUDDQ .

Change it how?

[tsvetomir]

@jaysunwalter123 see sass/node-sass#2625 (comment)

[KamilPacanek]

Is it safe/recommended to modify npm manged file 'package-lock.json'? I've always thought it's not and such manual edits are discouraged.

Change your package-lock and use npm ci to install your deps

[bitcoinvsalts]

I am still getting this issue:

Error: node-gyp rebuild failed with: Error: Command failed: node-gyp rebuild
gyp info it worked if it ends with ok
gyp info using node-gyp@5.0.3
gyp info using node@10.16.0 | darwin | x64
gyp info find Python using Python version 2.7.15 found at "/usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/Resources/Python.app/Contents/MacOS/Python"
gyp http GET https://nodejs.org/download/release/v10.16.0/node-v10.16.0-headers.tar.gz
gyp http 200 https://nodejs.org/download/release/v10.16.0/node-v10.16.0-headers.tar.gz
gyp ERR! UNCAUGHT EXCEPTION 
gyp ERR! stack TypeError: tar.extract is not a function

any idea how to resolve this?

HF