chore(deps): bump tar from 7.5.9 to 7.5.11#17
Conversation
dependabot
bot
added
dependencies
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot patch bump for tar (dev dependency) with security fixes.
Extended reasoning...
Overview
This PR is an automated Dependabot security update that bumps the tar package from 7.5.9 to 7.5.11 in package-lock.json. The only file changed is the lockfile. The upstream commits include two security-relevant fixes: path sanitization improvements and prevention of symlink escaping via drive-relative paths. A few incidental peer: true removals in the lockfile are normal npm resolution artifacts.
Security risks
This PR improves security by pulling in upstream fixes for path traversal issues in node-tar. There are no new security risks introduced — the change is a patch-level bump of a dev dependency with no source code modifications.
Level of scrutiny
Minimal scrutiny is appropriate. This is a lockfile-only, patch-level dependency bump generated by Dependabot. No application logic, configuration, or source code is affected. The dependency is dev-only, further limiting blast radius.
Other factors
No bugs were found by the bug hunting system. There are no prior reviewer comments or outstanding discussions. The PR has no CODEOWNERS implications since it only touches package-lock.json. This is a well-established pattern (Dependabot security patch) that is safe to auto-approve.
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/tar-7.5.11
branch
3 times, most recently
from
b1d4c16 to
4d6a494
Compare
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/tar-7.5.11
branch
2 times, most recently
from
7c02308 to
f1fb7ab
Compare
Bumps [tar](https://github.com/isaacs/node-tar) from 7.5.9 to 7.5.11. - [Release notes](https://github.com/isaacs/node-tar/releases) - [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md) - [Commits](isaacs/node-tar@v7.5.9...v7.5.11) --- updated-dependencies: - dependency-name: tar dependency-version: 7.5.11 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/tar-7.5.11
branch
from
f1fb7ab to
8f83c00
Compare
1 participant
Bumps tar from 7.5.9 to 7.5.11.
Commits
bf776f67.5.11f48b5faprevent escaping symlinks with drive-relative paths97cff15docs: more security info2b72abc7.5.107bc755dparse root off paths before sanitizing .. partsc8cb846update depsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Summary by cubic
Upgrade
tarfrom 7.5.9 to 7.5.13 to harden extraction: stricter path traversal checks and blocked drive‑relative symlink escapes. Lockfile-only bump to an indirect dependency; no app code changes.Written for commit cec116b. Summary will update on new commits.