Skip to content

Commit e086fc0

Browse files
B4nanclaude
B4nan
and
claude
authored
chore(deps): fix high severity tar vulnerability (#994)
## Summary - Add yarn resolution to force `tar@7.5.3` fixing path sanitization vulnerabilities ### Vulnerability fixed | Package | Severity | Issue | |---------|----------|-------| | tar | High | Arbitrary File Overwrite via Insufficient Path Sanitization | | tar | High | Symlink Poisoning via Insufficient Path Sanitization | Ref: GHSA-cchq-frgv-rjh5 The remaining Dependabot alerts (preact, diff) appear to be stale - these packages are not in the current lockfile. ## Test plan - [x] `yarn npm audit` shows no security vulnerabilities (only deprecation warnings) - [ ] CI passes 🤖 Generated with [Claude Code](https://claude.ai/code) Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
1 parent e913128 commit e086fc0

2 files changed

Lines changed: 7 additions & 60 deletions

File tree

package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -175,5 +175,8 @@
175175
"*": "biome format --write --no-errors-on-unmatched",
176176
"*.{mjs,js,ts}": "eslint --fix --ext mjs,js,ts",
177177
"*.md": "prettier --write"
178+
},
179+
"resolutions": {
180+
"tar": "7.5.3"
178181
}
179182
}

yarn.lock

Lines changed: 4 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -3050,13 +3050,6 @@ __metadata:
30503050
languageName: node
30513051
linkType: hard
30523052

3053-
"chownr@npm:^2.0.0":
3054-
version: 2.0.0
3055-
resolution: "chownr@npm:2.0.0"
3056-
checksum: 10c0/594754e1303672171cc04e50f6c398ae16128eb134a88f801bf5354fd96f205320f23536a045d9abd8b51024a149696e51231565891d4efdab8846021ecf88e6
3057-
languageName: node
3058-
linkType: hard
3059-
30603053
"chownr@npm:^3.0.0":
30613054
version: 3.0.0
30623055
resolution: "chownr@npm:3.0.0"
@@ -4737,15 +4730,6 @@ __metadata:
47374730
languageName: node
47384731
linkType: hard
47394732

4740-
"fs-minipass@npm:^2.0.0":
4741-
version: 2.1.0
4742-
resolution: "fs-minipass@npm:2.1.0"
4743-
dependencies:
4744-
minipass: "npm:^3.0.0"
4745-
checksum: 10c0/703d16522b8282d7299337539c3ed6edddd1afe82435e4f5b76e34a79cd74e488a8a0e26a636afc2440e1a23b03878e2122e3a2cfe375a5cf63c37d92b86a004
4746-
languageName: node
4747-
linkType: hard
4748-
47494733
"fs-minipass@npm:^3.0.0":
47504734
version: 3.0.3
47514735
resolution: "fs-minipass@npm:3.0.3"
@@ -6720,30 +6704,13 @@ __metadata:
67206704
languageName: node
67216705
linkType: hard
67226706

6723-
"minipass@npm:^5.0.0":
6724-
version: 5.0.0
6725-
resolution: "minipass@npm:5.0.0"
6726-
checksum: 10c0/a91d8043f691796a8ac88df039da19933ef0f633e3d7f0d35dcd5373af49131cf2399bfc355f41515dc495e3990369c3858cd319e5c2722b4753c90bf3152462
6727-
languageName: node
6728-
linkType: hard
6729-
67306707
"minipass@npm:^5.0.0 || ^6.0.2 || ^7.0.0, minipass@npm:^7.0.2, minipass@npm:^7.0.3, minipass@npm:^7.0.4, minipass@npm:^7.1.2":
67316708
version: 7.1.2
67326709
resolution: "minipass@npm:7.1.2"
67336710
checksum: 10c0/b0fd20bb9fb56e5fa9a8bfac539e8915ae07430a619e4b86ff71f5fc757ef3924b23b2c4230393af1eda647ed3d75739e4e0acb250a6b1eb277cf7f8fe449557
67346711
languageName: node
67356712
linkType: hard
67366713

6737-
"minizlib@npm:^2.1.1":
6738-
version: 2.1.2
6739-
resolution: "minizlib@npm:2.1.2"
6740-
dependencies:
6741-
minipass: "npm:^3.0.0"
6742-
yallist: "npm:^4.0.0"
6743-
checksum: 10c0/64fae024e1a7d0346a1102bb670085b17b7f95bf6cfdf5b128772ec8faf9ea211464ea4add406a3a6384a7d87a0cd1a96263692134323477b4fb43659a6cab78
6744-
languageName: node
6745-
linkType: hard
6746-
67476714
"minizlib@npm:^3.0.1, minizlib@npm:^3.1.0":
67486715
version: 3.1.0
67496716
resolution: "minizlib@npm:3.1.0"
@@ -6764,15 +6731,6 @@ __metadata:
67646731
languageName: node
67656732
linkType: hard
67666733

6767-
"mkdirp@npm:^1.0.3":
6768-
version: 1.0.4
6769-
resolution: "mkdirp@npm:1.0.4"
6770-
bin:
6771-
mkdirp: bin/cmd.js
6772-
checksum: 10c0/46ea0f3ffa8bc6a5bc0c7081ffc3907777f0ed6516888d40a518c5111f8366d97d2678911ad1a6882bf592fa9de6c784fea32e1687bb94e1f4944170af48a5cf
6773-
languageName: node
6774-
linkType: hard
6775-
67766734
"mkdirp@npm:^3.0.0":
67776735
version: 3.0.1
67786736
resolution: "mkdirp@npm:3.0.1"
@@ -8749,30 +8707,16 @@ __metadata:
87498707
languageName: node
87508708
linkType: hard
87518709

8752-
"tar@npm:^6.0.5, tar@npm:^6.1.11":
8753-
version: 6.2.1
8754-
resolution: "tar@npm:6.2.1"
8755-
dependencies:
8756-
chownr: "npm:^2.0.0"
8757-
fs-minipass: "npm:^2.0.0"
8758-
minipass: "npm:^5.0.0"
8759-
minizlib: "npm:^2.1.1"
8760-
mkdirp: "npm:^1.0.3"
8761-
yallist: "npm:^4.0.0"
8762-
checksum: 10c0/a5eca3eb50bc11552d453488344e6507156b9193efd7635e98e867fab275d527af53d8866e2370cd09dfe74378a18111622ace35af6a608e5223a7d27fe99537
8763-
languageName: node
8764-
linkType: hard
8765-
8766-
"tar@npm:^7.5.2":
8767-
version: 7.5.2
8768-
resolution: "tar@npm:7.5.2"
8710+
"tar@npm:7.5.3":
8711+
version: 7.5.3
8712+
resolution: "tar@npm:7.5.3"
87698713
dependencies:
87708714
"@isaacs/fs-minipass": "npm:^4.0.0"
87718715
chownr: "npm:^3.0.0"
87728716
minipass: "npm:^7.1.2"
87738717
minizlib: "npm:^3.1.0"
87748718
yallist: "npm:^5.0.0"
8775-
checksum: 10c0/a7d8b801139b52f93a7e34830db0de54c5aa45487c7cb551f6f3d44a112c67f1cb8ffdae856b05fd4f17b1749911f1c26f1e3a23bbe0279e17fd96077f13f467
8719+
checksum: 10c0/e5e3237bca325fbb33282d92d9807f4c8d81abaf71bf2627efdf93bd5610c146460c78fc7e9767d4ab5ae3c0b18af8197314c964f8cbd23b30b25bf4d42d7cb4
87768720
languageName: node
87778721
linkType: hard
87788722

0 commit comments

Comments
 (0)