Future of mholt/archiver fork?

danrollason · July 25, 2025, 9:28am

Hi,

Our Sonatype Nexus is reporting a problem with anchore/archiver/v3 library claiming it is vulnerable to CVE-2024-0406.

Looking at the pinned forks issue on GitHub, the message suggests there is a fix for this CVE in anchore’s fork of the mholt library so in this case Nexus might be wrong. Can you confirm that this CVE is fixed in the anchore fork?

However, the mholt/achiver library that was originally forked is now deprecated (and archived) in favour of a new library mholt/archives. Are there any plans to upgrade away from mholt/archiver?

Thanks
Dan

kzantow · July 25, 2025, 1:13pm

Hey @danrollason , yes we have CVE-2024-0406 fixed in the fork (via this PR). I don’t think there’s a reason to stay on the fork, but if memory serves there was a blocking issue when we tried to update to archiver v4. However, it looks like a user in the community has contributed an unreviewed update to archives, so I suspect whatever the issue we ran into with the other library has been mitigated and we will probably start using the newer one before long.

Topic		Replies	Views
Anchore Open Source Weekly Report - Week 16, 2025 General weekly	0	28	April 21, 2025
December 19th \| Open Source Gardening \| Live Stream Announcements video , gardening	3	19	January 16, 2025
What to do about archived go dependencies? General	1	39	December 16, 2024
Anchore Open Source Weekly Report - Week 27, 2025 General weekly	0	12	July 7, 2025
Grype - v0.86.1 released Announcements release	1	12	January 16, 2025

Future of mholt/archiver fork?

Related topics