[security fix] Updated archiver dependency; drops support for node 0.8.x

[PavelVanecek]

Old archiver comes with old minimatch which suffers of a known vulnerability: https://nodesecurity.io/advisories/118

Updating archiver updates minimatch as well.

Archiver no longer supports node.js 0.8.x which means crx does not support it either. I guess this deserves a major version bump.

[thom4parisot]

Well, archiver is used only to let people build their own package so even though there is a vulnerability in minimatch, I do not see any scenario which is likely to expose them?

Unless we only want to prevent them to ReDOS their machine by wrongly configuring crx config – which in this case can be problematic.

I am unsure about the major version bump because it means the current branch would not benefit of the security fix. [email protected] is way behind any support so people have bigger issues if they still run it. Don't you think?

[PavelVanecek]

I'm not aware of any scenario. The biggest pain here is that all our automation tools report possible vulnerability and I need to deal with lots of false positives :)

If I were running a node.js app on 0.8 I would hate to see it stopped working without a major version change of a dependency.

On the other hand, last maintenance update to 0.8 was in July 2014, it seems. Maybe a memo in changelog will do just fine.

[thom4parisot]

Agreed :-) Thanks for your feedback and for the PR!