1

My React application has certain dependencies which have tar package as their peer dependency. The AquaSec/Security Scan reports [email protected] to have a buffer over-read vulnerability (CVE-2020-8244). The suggested version is said to be [email protected].

How can I update the tar package to avoid issue related to vulnerability?

This is what I see when I do a npm list tar in my app.

+-- [email protected]
| `-- [email protected]
|   `-- [email protected]
`-- [email protected]
  +-- [email protected]
  | `-- [email protected]
  |   `-- [email protected]  deduped
  `-- [email protected]
    `-- [email protected]  deduped

Also, my package.json don't have tar in the list of dependencies cause it is used as a peer dependency.

Federick J
  • 478
  • 5
  • 16
  • 1
    Transitive dependencies is the term for this, not peer dependencies, in this case. See the answer on Overrides here: [NPM how to update/upgrade transitive dependencies?](https://stackoverflow.com/questions/56634474/npm-how-to-update-upgrade-transitive-dependencies) – Zac Anger Mar 30 '23 at 12:42

0 Answers0