microsoft · frankmueller-msft · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/build-tools/package.json b/build-tools/package.json
@@ -154,7 +154,8 @@
 			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
 			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
 			"mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).",
-			"simple-git: overridden to ^3.32.3 to resolve a CG alert."
+			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
+			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport). Can be removed after build-cli is published with npm-check-updates@17."
 		],
 		"overrides": {
 			"@types/glob>@types/minimatch": "~5.1.2",
@@ -171,7 +172,8 @@
 			"oclif>@aws-sdk/client-s3": "-",
 			"qs": "^6.15.0",
 			"simple-git": "^3.32.3",
-			"sharp": "^0.34.5"
+			"sharp": "^0.34.5",
+			"tar": "^7.5.11"
 		},
 		"updateConfig": {
 			"ignoreDependencies": [

diff --git a/build-tools/packages/build-cli/package.json b/build-tools/packages/build-cli/package.json
@@ -123,7 +123,7 @@
 		"mdast-util-heading-range": "^4.0.0",
 		"mdast-util-to-string": "^4.0.0",
 		"minimatch": "^10.1.1",
-		"npm-check-updates": "^16.14.20",
+		"npm-check-updates": "^17.1.18",
 		"oclif": "^4.22.50",
 		"picocolors": "^1.1.1",
 		"prettier": "~3.2.5",

diff --git a/build-tools/packages/build-cli/src/library/package.ts b/build-tools/packages/build-cli/src/library/package.ts
@@ -25,8 +25,6 @@ import execa from "execa";
 import { readJsonSync } from "fs-extra/esm";
 import latestVersion from "latest-version";
 import ncu from "npm-check-updates";
-import type { Index } from "npm-check-updates/build/src/types/IndexType.js";
-import type { VersionSpec } from "npm-check-updates/build/src/types/VersionSpec.js";
 import * as semver from "semver";
 import {
 	AllPackagesSelectionCriteria,
@@ -159,7 +157,7 @@ export async function npmCheckUpdates(
 			jsonUpgraded: true,
 			silent: true,
 			peer: true,
-		})) as Index<VersionSpec>;
+		})) as Record<string, string>;
 
 		if (typeof result !== "object") {
 			throw new TypeError(`Expected an object: ${typeof result}`);

diff --git a/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml b/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml
diff --git a/build-tools/pnpm-lock.yaml b/build-tools/pnpm-lock.yaml
diff --git a/common/lib/common-utils/package.json b/common/lib/common-utils/package.json
@@ -160,7 +160,8 @@
 			"oclif includes some AWS-related features, but we don't use them, so we drop those dependencies entirely via pnpm overrides. This helps reduce lockfile churn since the deps release very frequently.",
 			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
 			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
-			"simple-git: overridden to ^3.32.3 to resolve a CG alert."
+			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
+			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport). Can be removed after build-cli is published with npm-check-updates@17."
 		],
 		"overrides": {
 			"js-yaml@<4": "^3.14.2",
@@ -170,7 +171,8 @@
 			"oclif>@aws-sdk/client-s3": "-",
 			"qs": "^6.15.0",
 			"simple-git": "^3.32.3",
-			"sharp": "^0.33.2"
+			"sharp": "^0.33.2",
+			"tar": "^7.5.11"
 		},
 		"patchedDependencies": {
 			"@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch"