Override tar to ^7.5.11 across all workspaces#26731
Merged
frankmueller-msft merged 5 commits intomainfrom Mar 16, 2026
Merged
Conversation
…vulnerabilities tar 6.x is EOL with no security backports. This adds pnpm overrides to the 6 isolated workspaces that still resolved tar 6.2.1, and bumps the existing root override from >=7.5.7 to >=7.5.11 to cover all known CVEs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
CG was scanning this test data lockfile and flagging the vulnerable js-yaml 3.14.1 version. Updated references to 3.14.2. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
syncpack lint-semver-ranges in build-tools rejects >= ranges. Switch to ^ which is semantically equivalent for the 7.x line. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The integrity hash for js-yaml@3.14.2 in the test fixture was incorrect, causing pnpm install to fail during build-tools tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates pnpm overrides and lockfiles to move off vulnerable tar 6.x by pinning tar to the 7.5.11 release line across the repo (including per-workspace lockfiles), keeping dependency graphs aligned for server and build tooling packages.
Changes:
- Add/adjust pnpm overrides to force
tarto7.5.11across root + affected workspaces. - Regenerate/update pnpm lockfiles so
tar@7.5.11(and its new transitive deps) are captured. - Update build-infrastructure test lockfile fixture to reflect
js-yaml@3.14.2.
Reviewed changes
Copilot reviewed 7 out of 15 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Updates root pnpm override to tar@^7.5.11. |
| pnpm-lock.yaml | Updates root lockfile to resolve tar@7.5.11 and reflect refreshed dependency graph. |
| build-tools/package.json | Adds tar override + override comment in build-tools workspace. |
| build-tools/pnpm-lock.yaml | Updates build-tools lockfile to include tar@7.5.11 and transitive deps. |
| build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml | Updates test fixture lockfile for js-yaml resolution. |
| common/lib/common-utils/package.json | Adds tar override + override comment for common-utils workspace. |
| common/lib/common-utils/pnpm-lock.yaml | Updates common-utils lockfile for tar@7.5.11 graph. |
| common/lib/protocol-definitions/package.json | Adds tar override + override comment for protocol-definitions workspace. |
| common/lib/protocol-definitions/pnpm-lock.yaml | Updates protocol-definitions lockfile for tar@7.5.11 graph. |
| server/gitrest/package.json | Adds tar override + override comment for gitrest workspace. |
| server/gitrest/pnpm-lock.yaml | Updates gitrest lockfile for tar@7.5.11 graph. |
| server/historian/package.json | Adds tar override + override comment for historian workspace. |
| server/historian/pnpm-lock.yaml | Updates historian lockfile for tar@7.5.11 graph. |
| server/routerlicious/package.json | Adds tar override + override comment for routerlicious workspace. |
| server/routerlicious/pnpm-lock.yaml | Updates routerlicious lockfile for tar@7.5.11 graph. |
Files not reviewed (8)
- build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml: Language not supported
- build-tools/pnpm-lock.yaml: Language not supported
- common/lib/common-utils/pnpm-lock.yaml: Language not supported
- common/lib/protocol-definitions/pnpm-lock.yaml: Language not supported
- pnpm-lock.yaml: Language not supported
- server/gitrest/pnpm-lock.yaml: Language not supported
- server/historian/pnpm-lock.yaml: Language not supported
- server/routerlicious/pnpm-lock.yaml: Language not supported
You can also share your feedback on Copilot code review. Take the survey.
server/routerlicious/package.json
Outdated
| "systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.", | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert." | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert.", | ||
| "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." |
Contributor
Author
There was a problem hiding this comment.
Fixed — updated all 6 commentsOverrides to say ^7.5.11 to match the actual override range.
server/historian/package.json
Outdated
| "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert." | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert.", | ||
| "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." |
Contributor
Author
There was a problem hiding this comment.
Fixed in the same commit — all commentsOverrides now say ^7.5.11.
server/gitrest/package.json
Outdated
| "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert." | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert.", | ||
| "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." |
Contributor
Author
There was a problem hiding this comment.
Fixed in the same commit — all commentsOverrides now say ^7.5.11.
| "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert." | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert.", | ||
| "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." |
Contributor
Author
There was a problem hiding this comment.
Fixed in the same commit — all commentsOverrides now say ^7.5.11.
common/lib/common-utils/package.json
Outdated
| "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert." | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert.", | ||
| "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." |
Contributor
Author
There was a problem hiding this comment.
Fixed in the same commit — all commentsOverrides now say ^7.5.11.
build-tools/package.json
Outdated
| "mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).", | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert." | ||
| "simple-git: overridden to ^3.32.3 to resolve a CG alert.", | ||
| "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." |
Contributor
Author
There was a problem hiding this comment.
Fixed in the same commit — all commentsOverrides now say ^7.5.11.
This was referenced Mar 15, 2026
The commentsOverrides said >=7.5.11 but the actual override uses ^7.5.11. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Abe27342
approved these changes
Mar 16, 2026
frankmueller-msft
added a commit
that referenced
this pull request
Mar 16, 2026
## Summary - Upgrades `npm-check-updates` from v16 to v17 in `@fluid-tools/build-cli` - ncu@17 is fully bundled with zero dependencies, eliminating the transitive `tar 6.x` chain (`ncu@16 → pacote → cacache → tar 6.x`) - Removes deep type imports (`build/src/types/`) that no longer exist in v17 - Improves type safety of the `ncu.run()` result: typed as `unknown` and narrowed per branch (`Record<string, Record<string, string>>` for glob patterns, `Record<string, string>` for single-package) ## Context Split from #26707. The tar override fix is in #26731 (pure config, no code changes). This PR contains the ncu upgrade with a code change in `build-cli/src/library/package.ts`. Once published in the next build-cli release, the tar overrides in non-root workspaces (which exist because they depend on published `@fluid-tools/build-cli@0.63.0` that still ships ncu@16) can be removed. ## Test plan - [x] CI passes — build-tools workspace builds and tests successfully (first push) - [ ] CI passes after type-narrowing follow-up commit (pending) - [ ] Verify build-cli commands that use ncu (e.g., `flub check policy`) still work correctly 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
"tar": "^7.5.11"pnpm override across 7 workspaces (root, build-tools, common-utils, protocol-definitions, routerlicious, historian, gitrest) to resolve path traversal vulnerabilities in tar <7.5.11Test plan
🤖 Generated with Claude Code