chore(deps): upgrade tar to 7.5.9 to fix CVE-2026-26960 (#19445)

Lms24 · cursoragent · web-flow · commit 98cb3f695bcc · 2026-02-20T09:51:05.000+01:00
## Summary - Bumps `@mapbox/node-pre-gyp` from `2.0.0` to `2.0.3` (transitive dep via `@sentry/aws-serverless` → `@vercel/nft`) - This resolves `tar` from `7.5.7` to `7.5.9`, patching [GHSA-83g3-92jg-28cx](GHSA-83g3-92jg-28cx) / CVE-2026-26960 - No `package.json` changes — existing version ranges already permitted the newer versions; only `yarn.lock` was updated ## Vulnerability **CVE-2026-26960** (High, CVSS 7.1) — Arbitrary file read/write via hardlink target escape through symlink chain in `tar.extract()`. An attacker-controlled archive can create a hardlink inside the extraction directory pointing to a file outside the extraction root using default options. **Affected:** `tar < 7.5.8` | **Patched:** `tar >= 7.5.8` ## Dependency chain ``` @sentry/aws-serverless → @vercel/nft → @mapbox/node-pre-gyp 2.0.0 → 2.0.3 → tar 7.5.7 → 7.5.9 ``` Fixes https://github.com/getsentry/sentry-javascript/security/dependabot/1063 Made with [Cursor](https://cursor.com) Co-authored-by: Cursor <cursoragent@cursor.com>
diff --git a/package.json b/package.json
@@ -127,10 +127,10 @@
     "es-check": "^7.2.1",
     "eslint": "8.57.0",
     "jsdom": "^21.1.2",
-    "nx": "22.5.0",
     "madge": "8.0.0",
     "nodemon": "^3.1.10",
     "npm-run-all2": "^6.2.0",
+    "nx": "22.5.0",
     "oxfmt": "^0.32.0",
     "rimraf": "^5.0.10",
     "rollup": "^4.35.0",
diff --git a/yarn.lock b/yarn.lock
@@ -5686,9 +5686,9 @@
   integrity sha512-Z7C/xXCiGWsg0KuKsHTKJxbWhpI3Vs5GwLfOean7MGyVFGqdRgBbAjOCh6u4bbjPc/8MJ2pZmK/0DLdCbivLDA==
 
 "@mapbox/node-pre-gyp@^2.0.0":
-  version "2.0.0"
-  resolved "https://registry.yarnpkg.com/@mapbox/node-pre-gyp/-/node-pre-gyp-2.0.0.tgz#16d1d9049c0218820da81a12ae084e7fe67790d1"
-  integrity sha512-llMXd39jtP0HpQLVI37Bf1m2ADlEb35GYSh1SDSLsBhR+5iCxiNGlT31yqbNtVHygHAtMy6dWFERpU2JgufhPg==
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/@mapbox/node-pre-gyp/-/node-pre-gyp-2.0.3.tgz#236aa1f62c101ce4c9db15697cb652ec69dca379"
+  integrity sha512-uwPAhccfFJlsfCxMYTwOdVfOz3xqyj8xYL3zJj8f0pb30tLohnnFPhLuqp4/qoEz8sNxe4SESZedcBojRefIzg==
   dependencies:
     consola "^3.2.3"
     detect-libc "^2.0.0"
@@ -28715,7 +28715,6 @@ stylus@0.59.0, stylus@^0.59.0:
 
 sucrase@^3.27.0, sucrase@^3.35.0, sucrase@getsentry/sucrase#es2020-polyfills:
   version "3.36.0"
-  uid fd682f6129e507c00bb4e6319cc5d6b767e36061
   resolved "https://codeload.github.com/getsentry/sucrase/tar.gz/fd682f6129e507c00bb4e6319cc5d6b767e36061"
   dependencies:
     "@jridgewell/gen-mapping" "^0.3.2"
@@ -28951,9 +28950,9 @@ tar@^6.1.11, tar@^6.1.2:
     yallist "^4.0.0"
 
 tar@^7.4.0:
-  version "7.5.7"
-  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.7.tgz#adf99774008ba1c89819f15dbd6019c630539405"
-  integrity sha512-fov56fJiRuThVFXD6o6/Q354S7pnWMJIVlDBYijsTNx6jKSE4pvrDTs6lUnmGvNyfJwFQQwWy3owKz1ucIhveQ==
+  version "7.5.9"
+  resolved "https://registry.yarnpkg.com/tar/-/tar-7.5.9.tgz#817ac12a54bc4362c51340875b8985d7dc9724b8"
+  integrity sha512-BTLcK0xsDh2+PUe9F6c2TlRp4zOOBMTkoQHQIWSIzI0R7KG46uEwq4OPk2W7bZcprBMsuaeFsqwYr7pjh6CuHg==
   dependencies:
     "@isaacs/fs-minipass" "^4.0.0"
     chownr "^3.0.0"
