Tar dependency not updated in package

[apoco]

I see in your github branch that you have a dependency on tar@^6.1.12, but the actual published node-ninja@1.0.2 still has a dependency of tar@^2.0.0. Perhaps you had a mishap when publishing this package or you haven't yet published a new release.

Would you be able to publish a new release for this package? This is to address a security vulernability reported by npm:

tar  <=6.2.0
Severity: high
Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization - https://github.com/advisories/GHSA-3jfq-g458-7qm9
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization - https://github.com/advisories/GHSA-5955-9wpr-37jh
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
No fix available

[orgads]

ping?

[zoobab]

Can you make a merge request?

[orgads]

Already done and merged :)

[jpage-godaddy]

Yeah, it was merged here:

#15

The issue is that a new version of the package wasn't published.

 $ npm info node-ninja

node-ninja@1.0.2 | MPL-2.0 | deps: 14 | versions: 8
Node.js native addon build tool
https://github.com/codejockey/node-ninja#readme

keywords: native, addon, module, c, c++, bindings, gyp

bin: node-ninja

dist
.tarball: https://registry.npmjs.org/node-ninja/-/node-ninja-1.0.2.tgz
.shasum: 20a09e57b92e2df591993d4bf098ac3e727062b6
.integrity: sha512-wMtWsG2QZI1Z5V7GciX9OI2DVT0PuDRIDQfe3L3rJsQ1qN1Gm3QQhoNtb4PMRi7gq4ByvEIYtPwHC7YbEf5yxw==

dependencies:
fstream: ^1.0.0              minimatch: 3                 npmlog: 0 || 1 || 2          request: 2                   tar: ^2.0.0
glob: 3 || 4 || 5 || 6 || 7  mkdirp: ^0.5.0               osenv: 0                     rimraf: 2                    which: 1
graceful-fs: ^4.1.2          nopt: 2 || 3                 path-array: ^1.0.0           semver: 2.x || 3.x || 4 || 5

maintainers:
- rgbkrk <rgbkrk@gmail.com>
- ralphtheninja <ralphtheninja@riseup.net>
- hintjens <pieterh@gmail.com>

dist-tags:
latest: 1.0.2

published over a year ago by ralphtheninja <ralphtheninja@riseup.net>

$ npm info node-ninja dependencies
{
  fstream: '^1.0.0',
  glob: '3 || 4 || 5 || 6 || 7',
  'graceful-fs': '^4.1.2',
  minimatch: '3',
  mkdirp: '^0.5.0',
  nopt: '2 || 3',
  npmlog: '0 || 1 || 2',
  osenv: '0',
  'path-array': '^1.0.0',
  request: '2',
  rimraf: '2',
  semver: '2.x || 3.x || 4 || 5',
  tar: '^2.0.0',
  which: '1'
}