Skip to content

fix(deps): vuln tar (patch → 7.5.16) #2363

Merged
Drarig29 merged 2 commits into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/1-1781556597
Jun 26, 2026
Merged

fix(deps): vuln tar (patch → 7.5.16) #2363
Drarig29 merged 2 commits into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/1-1781556597

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: High-severity security update — 1 package upgraded (patch changes only)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
tar 7.5.8 7.5.16 patch Transitive 4 HIGH, 1 MEDIUM

Security Details

🚨 Critical & High Severity (4 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
tar GHSA-9ppj-qmqm-q256 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.5.8 7.5.11
tar CVE-2026-31802 HIGH node-tar Symlink Path Traversal via Drive-Relative Linkpath 7.5.8 -
tar GHSA-qffp-2rhf-9h96 HIGH tar has Hardlink Path Traversal via Drive-Relative Linkpath 7.5.8 7.5.10
tar CVE-2026-29786 HIGH node-tar: Hardlink Path Traversal via Drive-Relative Linkpath 7.5.8 -
ℹ️ Other Vulnerabilities (1)
Package CVE Severity Summary Unsafe Version Fixed In
tar GHSA-vmf3-w455-68vh MODERATE node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling) 7.5.8 7.5.16

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-official

This comment has been minimized.

@dd-prapprover

dd-prapprover Bot commented Jun 16, 2026

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-06-16T13:47:41Z
  • ⬜ CI tests passed
  • ⬜ Approved
  • ⬜ Merge Started
  • ⬜ Merged

➡️ Current phase: CI tests failed. Please fix the failing tests to continue.

@Drarig29
Drarig29 merged commit 5a08e6d into master Jun 26, 2026
34 checks passed
@Drarig29
Drarig29 deleted the engraver-auto-version-upgrade/minorpatch/npm/1-1781556597 branch June 26, 2026 09:14
@ava-silver ava-silver mentioned this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant