Fix CVE-2026-31802 by updating tar to patched versions (#345)

sbouchet · web-flow · commit 98610159253f · 2026-03-23T16:23:49.000-04:00
- This PR fixes GHSA-9ppj-qmqm-q256: Symlink Path Traversal via Drive-Relative Linkpath - tar version is updated to 7.5.11 - Fixes CRW-10348 Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
diff --git a/cloud-shell/package.json b/cloud-shell/package.json
@@ -28,7 +28,7 @@
   "resolutions": {
     "cipher-base": "^1.0.6",
     "sha.js": "^2.4.12",
-    "tar": "7.5.7",
+    "tar": "7.5.11",
     "minimatch@^3.1.1": "^3.1.5",
     "minimatch@^10.1.1": "^10.2.4",
     "ajv": "6.14.0"
diff --git a/cloud-shell/yarn.lock b/cloud-shell/yarn.lock
@@ -4778,16 +4778,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar@npm:7.5.7":
-  version: 7.5.7
-  resolution: "tar@npm:7.5.7"
+"tar@npm:7.5.11":
+  version: 7.5.11
+  resolution: "tar@npm:7.5.11"
   dependencies:
     "@isaacs/fs-minipass": "npm:^4.0.0"
     chownr: "npm:^3.0.0"
     minipass: "npm:^7.1.2"
     minizlib: "npm:^3.1.0"
     yallist: "npm:^5.0.0"
-  checksum: 10c0/51f261afc437e1112c3e7919478d6176ea83f7f7727864d8c2cce10f0b03a631d1911644a567348c3063c45abdae39718ba97abb073d22aa3538b9a53ae1e31c
+  checksum: 10c0/b6bb420550ef50ef23356018155e956cd83282c97b6128d8d5cfe5740c57582d806a244b2ef0bf686a74ce526babe8b8b9061527623e935e850008d86d838929
   languageName: node
   linkType: hard
 
