npm audit reports a bad vulnerability in tar < 4.2.2. It has been reported since April 5th.

Etherpad-lite isn't using tar directly though. The dependency chain is npm > npm-lifecycle > node-gyp > tar.

So we need to wait for the chain to publish new versions with the dependencies fixed:

• Wait for a fixed version of node-gyp 3.x to be released ( v3.8.1 proposal (became v4.0.0) nodejs/node-gyp#1718)
• Wait for a fixed version of npm to be released
• Bump the npm dependency.

(This issue is just for tracking the progress of updates in the dependencies chain.)