From 8c9ce008b6b5abe71d005f40e19e1ef689919d16 Mon Sep 17 00:00:00 2001 From: Cursor Agent Date: Tue, 20 Jan 2026 23:05:34 +0000 Subject: [PATCH] Fix npm-tar vulnerability (CVE-2026-23745) by upgrading to 7.5.4 - Added pnpm override to force tar >= 7.5.3 - Updated pnpm-lock.yaml to use tar@7.5.4 - Resolves TOO-351 --- package.json | 7 ++++++- pnpm-lock.yaml | 11 +++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index ba7953195..d16a0a9ba 100644 --- a/package.json +++ b/package.json @@ -101,5 +101,10 @@ "pnpm dlx ultracite fix " ] }, - "packageManager": "pnpm@10.11.0" + "packageManager": "pnpm@10.11.0", + "pnpm": { + "overrides": { + "tar": ">=7.5.3" + } + } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 436ac536b..0eea32821 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + tar: '>=7.5.3' + importers: .: @@ -4458,8 +4461,8 @@ packages: resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==} engines: {node: '>=6'} - tar@7.5.2: - resolution: {integrity: sha512-7NyxrTE4Anh8km8iEy7o0QYPs+0JKBTj5ZaqHg6B39erLg0qYXN3BijtShwbsNSvQ+LN75+KV+C4QR/f6Gwnpg==} + tar@7.5.4: + resolution: {integrity: sha512-AN04xbWGrSTDmVwlI4/GTlIIwMFk/XEv7uL8aa57zuvRy6s4hdBed+lVq2fAZ89XDa7Us3ANXcE3Tvqvja1kTA==} engines: {node: '>=18'} third-party-capital@1.0.20: @@ -6888,7 +6891,7 @@ snapshots: '@tailwindcss/oxide@4.1.14': dependencies: detect-libc: 2.1.2 - tar: 7.5.2 + tar: 7.5.4 optionalDependencies: '@tailwindcss/oxide-android-arm64': 4.1.14 '@tailwindcss/oxide-darwin-arm64': 4.1.14 @@ -9962,7 +9965,7 @@ snapshots: tapable@2.3.0: {} - tar@7.5.2: + tar@7.5.4: dependencies: '@isaacs/fs-minipass': 4.0.1 chownr: 3.0.0