Skip to content

Fix tar 6.x vulnerabilities: upgrade ncu to v17 + override for @vvago/vale #26707

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
frankmueller-msft wants to merge 6 commits into from
+298 −355
Closed

Fix tar 6.x vulnerabilities: upgrade ncu to v17 + override for @vvago/vale #26707

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ae5d863
Override tar to >=7.5.11 across all workspaces to fix path traversal …
frankmueller-msft Mar 11, 2026
88eb6e5
Update test fixture lockfile to remove js-yaml 3.14.1
frankmueller-msft Mar 11, 2026
6c1a2bd
Use ^7.5.11 instead of >=7.5.11 for tar override to fix syncpack lint
frankmueller-msft Mar 11, 2026
0e81064
Fix js-yaml@3.14.2 integrity hash in test fixture lockfile
frankmueller-msft Mar 11, 2026
f28ecb5
Upgrade npm-check-updates to v17 in build-cli to eliminate tar 6.x at…
frankmueller-msft Mar 14, 2026
f07cbff
Fix build-tools lockfile config mismatch
frankmueller-msft Mar 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions build-tools/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -154,7 +154,8 @@
"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
"mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).",
"simple-git: overridden to ^3.32.3 to resolve a CG alert."
"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
"tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
],
"overrides": {
"@types/glob>@types/minimatch": "~5.1.2",
Expand All @@ -171,7 +172,8 @@
"oclif>@aws-sdk/client-s3": "-",
"qs": "^6.15.0",
"simple-git": "^3.32.3",
"sharp": "^0.34.5"
"sharp": "^0.34.5",
"tar": ">=7.5.11"
},
"updateConfig": {
"ignoreDependencies": [
Expand Down
56 changes: 42 additions & 14 deletions build-tools/pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions common/lib/common-utils/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,7 +160,8 @@
"oclif includes some AWS-related features, but we don't use them, so we drop those dependencies entirely via pnpm overrides. This helps reduce lockfile churn since the deps release very frequently.",
"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
"simple-git: overridden to ^3.32.3 to resolve a CG alert."
"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
"tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
],
"overrides": {
"js-yaml@<4": "^3.14.2",
Expand All @@ -170,7 +171,8 @@
"oclif>@aws-sdk/client-s3": "-",
"qs": "^6.15.0",
"simple-git": "^3.32.3",
"sharp": "^0.33.2"
"sharp": "^0.33.2",
"tar": ">=7.5.11"
},
"patchedDependencies": {
"@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch"
Expand Down
57 changes: 42 additions & 15 deletions common/lib/common-utils/pnpm-lock.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 4 additions & 2 deletions common/lib/protocol-definitions/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,7 +118,8 @@
"oclif includes some AWS-related features, but we don't use them, so we drop those transitive dependencies entirely from the dependency graph. This helps reduce lockfile churn since the deps release very frequently.",
"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
"simple-git: overridden to ^3.32.3 to resolve a CG alert."
"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
"tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
],
"onlyBuiltDependencies": [
"core-js",
Expand All @@ -140,7 +141,8 @@
"oclif>@aws-sdk/client-s3": "-",
"qs": "^6.15.0",
"simple-git": "^3.32.3",
"sharp": "^0.33.2"
"sharp": "^0.33.2",
"tar": ">=7.5.11"
},
"patchedDependencies": {
"@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch"
Expand Down
Loading
Loading