zip-folder dependency relies on outdated archiver

[naderm]

One of electron-forge's dependencies installs an out of date minimatch package that is vulnerable to a DOS exploit. This dependency is required by:

zip-folder@1.0.0 > archiver@^0.11.0 > glob@~3.2.6 > minimatch@0.3

This can easily be fixed by updating zip-folder to use the latest version of archiver. I could report this issue to that project upstream, but it doesn't appear to have been updated since 2014.

The actual meat of zip-folder's code is only 20 lines of code, so it may be better to just incorporate this function / dependencies directly into electron-forge with an updated archiver dependency.

[naderm]

I also noticed a similar issue with semver, required by:

electron-windows-store@^0.10.1 > flatten-packages@^0.1.4 > semver@~2.2.1

But flatten-packages has a few more files in its directory, so I reported it downstream: arifsetiawan/flatten#21

[malept]

I'd rather have a dependency that is more up-to-date, rather than adding the code to Forge.

[naderm]

Filed downstream then: sole/node-zip-folder#10

[malept]

An alternative would be to find a different dependency that fulfills the same task, but doesn't depend on outdated modules.

[malept]

I also noticed a similar issue with semver

You may want to file an issue similar to this one at electron-windows-store, then.

[naderm]

Done electron-userland/electron-windows-store#88

[malept]

There is a PR (#325) to replace zip-folder with cross-zip but it needs people to test it. To test, set the Forge version in your project's package.json to electron-userland/electron-forge#use-cross-zip, making sure it's installed locally, and then create distributes as you normally would.