Vulnerabilities and deprecations in the sub dependencies

[tlaak]

Hugo-bin is using bin-wrapper 3.0.2 that is dependent on vulnerable version of download. It's also dependent on gulp-util 3.0.8 which is deprecated. There is an open issue in the bin-wrapper repository.

[satoshun00]

Thank you for reporting.
I'm waiting for a while for a bin-wrapper new release.

[naeluh]

I would also be into this fix thanks!

[XhmikosR]

Does anybody know an alternative to the download package?

[satoshun00]

Suppose I replace bin-wrapper:

• os-filter-obj: filter platform and arch
• node-fetch: download an asset
• crypto: check the checksum from the asset (Check the checksum after download #36)
• decompress: extract tar ball

[satoshun00]

ref: kevva/bin-wrapper#60

[XhmikosR]

Unfortunately, it doesn't seem bin-wrapper is maintained at all.

[tlaak]

The updates have been merged to bin-wrapper master, but it hasn't been published to npm yet.

[XhmikosR]

Yup, I'm following that myself :) I already have a branch for the node.js 4.x removal which will need to happen with the update.