Summary
Dependabot reports multiple High-severity node-tar advisories (path traversal / arbitrary file overwrite & symlink poisoning, CVE-2026-23745) plus a couple of Moderate tar/esbuild alerts. The advisories are resolved in tar 7.5.3+, but tar is pulled in transitively and the current dependency tree pins it at 6.2.1. A straight tar bump is therefore not possible — the parent package that depends on tar must be updated first so the resolved tar version can move into the 7.x line.
Why this was not auto-fixed in the sweep
- The fix cannot be applied by bumping
tar directly; it requires bumping the parent dependency (potentially a major bump) to unblock tar 7.x.
- tar 7.5.3 is a brand-new 2026 release and is likely within the
minimumReleaseAge cooldown window the sweep must honor.
- No open Dependabot PR exists (the transitive pin blocks an automated single-package bump).
Proposed work
Notes
Surfaced during the weekly PMDS dependency + security sweep (Wk 2). References Dependabot alert #33.
Summary
Dependabot reports multiple High-severity
node-taradvisories (path traversal / arbitrary file overwrite & symlink poisoning, CVE-2026-23745) plus a couple of Moderatetar/esbuildalerts. The advisories are resolved in tar 7.5.3+, buttaris pulled in transitively and the current dependency tree pins it at 6.2.1. A straighttarbump is therefore not possible — the parent package that depends on tar must be updated first so the resolved tar version can move into the 7.x line.Why this was not auto-fixed in the sweep
tardirectly; it requires bumping the parent dependency (potentially a major bump) to unblock tar 7.x.minimumReleaseAgecooldown window the sweep must honor.Proposed work
pnpm why tar).fix(deps): resolve node-tar CVE-2026-23745 via parent bump).Notes
Surfaced during the weekly PMDS dependency + security sweep (Wk 2). References Dependabot alert #33.