Skip to content

[Security] node-tar path-traversal (CVE-2026-23745) — transitive pin caps tar at 6.2.1, fix needs 7.5.3+ #157

Description

@PAMulligan

Summary

Dependabot reports multiple High-severity node-tar advisories (path traversal / arbitrary file overwrite & symlink poisoning, CVE-2026-23745) plus a couple of Moderate tar/esbuild alerts. The advisories are resolved in tar 7.5.3+, but tar is pulled in transitively and the current dependency tree pins it at 6.2.1. A straight tar bump is therefore not possible — the parent package that depends on tar must be updated first so the resolved tar version can move into the 7.x line.

Why this was not auto-fixed in the sweep

  • The fix cannot be applied by bumping tar directly; it requires bumping the parent dependency (potentially a major bump) to unblock tar 7.x.
  • tar 7.5.3 is a brand-new 2026 release and is likely within the minimumReleaseAge cooldown window the sweep must honor.
  • No open Dependabot PR exists (the transitive pin blocks an automated single-package bump).

Proposed work

  • Identify the parent package(s) pinning tar to 6.2.1 (pnpm why tar).
  • Determine the minimum parent version that allows tar 7.5.3+.
  • Confirm the target versions are past the minimumReleaseAge threshold.
  • Bump via pnpm, run tests (Vitest/Playwright), confirm CI green.
  • Open PR with a Conventional Commits message (e.g. fix(deps): resolve node-tar CVE-2026-23745 via parent bump).

Notes

Surfaced during the weekly PMDS dependency + security sweep (Wk 2). References Dependabot alert #33.

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency filesecuritySecurity vulnerabilityseverity:highHigh severity

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Todo

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions