diff --git a/.gitignore b/.gitignore
index 6748492014..66855599eb 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 gyp/test
 node_modules
 test/.node-gyp
+package-lock.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 33bbfad5de..9f4e2a20fa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+v3.8.1 2019-04-12
+=================
+
+### Due to security concern this version drops support for Node.js versions < 4.0.0
+
+* [[`3578b2abf0`](https://github.com/nodejs/node-gyp/commit/3578b2abf0)] - **deps**: explicit limit on supported engines (Refael Ackermann)
+* [[`ec8505e15f`](https://github.com/nodejs/node-gyp/commit/ec8505e15f)] - **deps**: updated tar package version to 4.4.8 (Pobegaylo Maksim) [#1713](https://github.com/nodejs/node-gyp/pull/1713)
+* [[`6e1e425ffb`](https://github.com/nodejs/node-gyp/commit/6e1e425ffb)] - **(BREAKING for node < 4)** Upgrade to tar v3 (isaacs) [#1212](https://github.com/nodejs/node-gyp/pull/1212)
+* [[`e6699d13cd`](https://github.com/nodejs/node-gyp/commit/e6699d13cd)] - **test**: fix addon test for Node.js 12 and V8 7.4 (Richard Lau) [#1705](https://github.com/nodejs/node-gyp/pull/1705)
+* [[`0c6bf530a0`](https://github.com/nodejs/node-gyp/commit/0c6bf530a0)] - **lib**: use print() for python version detection (GreenAddress) [#1534](https://github.com/nodejs/node-gyp/pull/1534)
+
+
 v3.8.0 2018-08-09
 =================
 
diff --git a/lib/install.js b/lib/install.js
index cb84972e18..8a615dfb38 100644
--- a/lib/install.js
+++ b/lib/install.js
@@ -20,10 +20,8 @@ var fs = require('graceful-fs')
   , rm = require('rimraf')
   , path = require('path')
   , crypto = require('crypto')
-  , zlib = require('zlib')
   , log = require('npmlog')
   , semver = require('semver')
-  , fstream = require('fstream')
   , request = require('request')
   , mkdir = require('mkdirp')
   , processRelease = require('./process-release')
@@ -148,41 +146,33 @@ function install (fs, gyp, argv, callback) {
       var tarPath = gyp.opts.tarball
       var badDownload = false
         , extractCount = 0
-        , gunzip = zlib.createGunzip()
-        , extracter = tar.Extract({ path: devDir, strip: 1, filter: isValid })
 
       var contentShasums = {}
       var expectShasums = {}
 
       // checks if a file to be extracted from the tarball is valid.
       // only .h header files and the gyp files get extracted
-      function isValid () {
-        var name = this.path.substring(devDir.length + 1)
-        var isValid = valid(name)
-        if (name === '' && this.type === 'Directory') {
-          // the first directory entry is ok
-          return true
-        }
+      function isValid (path, entry) {
+        var isValid = valid(path)
         if (isValid) {
-          log.verbose('extracted file from tarball', name)
+          log.verbose('extracted file from tarball', path)
           extractCount++
         } else {
           // invalid
-          log.silly('ignoring from tarball', name)
+          log.silly('ignoring from tarball', path)
         }
         return isValid
       }
 
-      gunzip.on('error', cb)
-      extracter.on('error', cb)
-      extracter.on('end', afterTarball)
-
-      // download the tarball, gunzip and extract!
+      // download the tarball and extract!
 
       if (tarPath) {
-        var input = fs.createReadStream(tarPath)
-        input.pipe(gunzip).pipe(extracter)
-        return
+        return tar.extract({
+          file: tarPath,
+          strip: 1,
+          filter: isValid,
+          cwd: devDir
+        }).then(afterTarball, cb)
       }
 
       try {
@@ -222,7 +212,11 @@ function install (fs, gyp, argv, callback) {
         })
 
         // start unzipping and untaring
-        req.pipe(gunzip).pipe(extracter)
+        res.pipe(tar.extract({
+          strip: 1,
+          cwd: devDir,
+          filter: isValid
+        }).on('close', afterTarball).on('error', cb))
       })
 
       // invoked after the tarball has finished being extracted
diff --git a/package.json b/package.json
index 9279089d7b..8d113bb246 100644
--- a/package.json
+++ b/package.json
@@ -22,7 +22,6 @@
   "bin": "./bin/node-gyp.js",
   "main": "./lib/node-gyp.js",
   "dependencies": {
-    "fstream": "^1.0.0",
     "glob": "^7.0.3",
     "graceful-fs": "^4.1.2",
     "mkdirp": "^0.5.0",
@@ -32,11 +31,11 @@
     "request": "^2.87.0",
     "rimraf": "2",
     "semver": "~5.3.0",
-    "tar": "^2.0.0",
+    "tar": "4",
     "which": "1"
   },
   "engines": {
-    "node": ">= 0.8.0"
+    "node": ">= 4.0.0"
   },
   "devDependencies": {
     "tape": "~4.2.0",