Update dependencies for vulnerabilities, please?

[ajvincent]

I'm considering using esvu for testing my library across several different JavaScript engines, but I'm concerned about the npm audit report.

[ljharb]

All of the dependencies are using ^; you can update them in your own lockfile.

Are there any npm audit complaints that require a major upgrade?

[ajvincent]

# npm audit report

tar  <6.2.1
Severity: moderate
Denial of service while parsing a tar file due to lack of folders count validation - https://github.com/advisories/GHSA-f5x3-32g6-xq36
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/tar
  esvu  >=1.0.0
  Depends on vulnerable versions of tar
  node_modules/esvu

2 moderate severity vulnerabilities

To address all issues (including breaking changes), run:
  npm audit fix --force

The report states anything less than 6.2.1 is considered vulnerable. esvu's tar dependency is ^5.0.5.

Granted, the sources are probably trusted. Apologies for the delay.

[ajvincent]

The good news is a quick perusal of the esvu code (src/common.js) and node-tar's documentation implies the upgrade will be compatible.

[devsnek]

these vulnerabilities don't represent any real world problem so this issue is fairly low on my list, but feel free to open a PR updating the deps to your satisfaction.