From d06c6534dfd23d6e3bd5dbb453d6bb33a0e7015e Mon Sep 17 00:00:00 2001 From: Frank Mueller Date: Wed, 11 Mar 2026 14:53:12 -0700 Subject: [PATCH 1/5] Override tar to >=7.5.11 across all workspaces to fix path traversal vulnerabilities tar 6.x is EOL with no security backports. This adds pnpm overrides to the 6 isolated workspaces that still resolved tar 6.2.1, and bumps the existing root override from >=7.5.7 to >=7.5.11 to cover all known CVEs. Co-Authored-By: Claude Opus 4.6 --- build-tools/package.json | 6 +- build-tools/pnpm-lock.yaml | 56 +++- common/lib/common-utils/package.json | 6 +- common/lib/common-utils/pnpm-lock.yaml | 57 +++-- common/lib/protocol-definitions/package.json | 6 +- .../lib/protocol-definitions/pnpm-lock.yaml | 57 +++-- package.json | 2 +- pnpm-lock.yaml | 241 +----------------- server/gitrest/package.json | 6 +- server/gitrest/pnpm-lock.yaml | 57 +++-- server/historian/package.json | 4 +- server/historian/pnpm-lock.yaml | 57 +++-- server/routerlicious/package.json | 4 +- server/routerlicious/pnpm-lock.yaml | 65 +++-- 14 files changed, 281 insertions(+), 343 deletions(-) diff --git a/build-tools/package.json b/build-tools/package.json index a717c2f3afec..479c093d4147 100644 --- a/build-tools/package.json +++ b/build-tools/package.json @@ -154,7 +154,8 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@types/glob>@types/minimatch": "~5.1.2", @@ -171,7 +172,8 @@ "oclif>@aws-sdk/client-s3": "-", "qs": "^6.15.0", "simple-git": "^3.32.3", - "sharp": "^0.34.5" + "sharp": "^0.34.5", + "tar": ">=7.5.11" }, "updateConfig": { "ignoreDependencies": [ diff --git a/build-tools/pnpm-lock.yaml b/build-tools/pnpm-lock.yaml index e02cd8530bf8..989612546fb9 100644 --- a/build-tools/pnpm-lock.yaml +++ b/build-tools/pnpm-lock.yaml @@ -20,6 +20,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.34.5 + tar: '>=7.5.11' importers: @@ -1513,6 +1514,10 @@ packages: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} engines: {node: '>=12'} + '@isaacs/fs-minipass@4.0.1': + resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==} + engines: {node: '>=18.0.0'} + '@istanbuljs/schema@0.1.3': resolution: {integrity: sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==} engines: {node: '>=8'} @@ -2498,6 +2503,10 @@ packages: resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} engines: {node: '>=10'} + chownr@3.0.0: + resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} + engines: {node: '>=18'} + chrome-trace-event@1.0.3: resolution: {integrity: sha512-p3KULyQg4S7NIHixdwbGX+nFHkoBiA4YQmyWtjb8XngSKV124nJmRysgAeujbUVb15vh+RvFUfCPqU7rXk+hZg==} engines: {node: '>=6.0'} @@ -4467,6 +4476,10 @@ packages: resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} engines: {node: '>= 8'} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} + engines: {node: '>= 18'} + mkdirp@0.5.6: resolution: {integrity: sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==} hasBin: true @@ -5464,9 +5477,9 @@ packages: resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==} engines: {node: '>=6'} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} + engines: {node: '>=18'} temp-dir@3.0.0: resolution: {integrity: sha512-nHc6S/bwIilKHNRgK/3jlhDoIHcp45YgyiwcAk46Tr0LfEqGBVpmiAyuiuxeVE44m3mXnEeVhaipLOEWmH+Njw==} @@ -5950,6 +5963,10 @@ packages: yallist@4.0.0: resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + yallist@5.0.0: + resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} + engines: {node: '>=18'} + yaml@2.8.1: resolution: {integrity: sha512-lcYcMxX2PO9XMGvAJkJ3OsNMw+/7FKes7/hgerGUYWIoWu5j/+YQqcZr5JnPZWzOsEBgMbSbiSTn/dv/69Mkpw==} engines: {node: '>= 14.6'} @@ -6873,6 +6890,10 @@ snapshots: wrap-ansi: 8.1.0 wrap-ansi-cjs: wrap-ansi@7.0.0 + '@isaacs/fs-minipass@4.0.1': + dependencies: + minipass: 7.1.2 + '@istanbuljs/schema@0.1.3': {} '@jridgewell/gen-mapping@0.3.2': @@ -7912,7 +7933,7 @@ snapshots: promise-inflight: 1.0.1 rimraf: 3.0.2 ssri: 9.0.1 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 2.0.1 transitivePeerDependencies: - bluebird @@ -7929,7 +7950,7 @@ snapshots: minipass-pipeline: 1.2.4 p-map: 4.0.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 3.0.0 cacheable-lookup@7.0.0: {} @@ -8033,6 +8054,8 @@ snapshots: chownr@2.0.0: {} + chownr@3.0.0: {} + chrome-trace-event@1.0.3: {} ci-info@3.9.0: {} @@ -10381,6 +10404,10 @@ snapshots: minipass: 3.3.6 yallist: 4.0.0 + minizlib@3.1.0: + dependencies: + minipass: 7.1.2 + mkdirp@0.5.6: dependencies: minimist: 1.2.8 @@ -10492,7 +10519,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.7.3 - tar: 6.2.1 + tar: 7.5.11 which: 2.0.2 transitivePeerDependencies: - bluebird @@ -10784,7 +10811,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.6.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 transitivePeerDependencies: - bluebird - supports-color @@ -11578,14 +11605,13 @@ snapshots: tapable@2.3.0: {} - tar@6.2.1: + tar@7.5.11: dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 + '@isaacs/fs-minipass': 4.0.1 + chownr: 3.0.0 + minipass: 7.1.2 + minizlib: 3.1.0 + yallist: 5.0.0 temp-dir@3.0.0: {} @@ -12074,6 +12100,8 @@ snapshots: yallist@4.0.0: {} + yallist@5.0.0: {} + yaml@2.8.1: {} yargs-parser@20.2.9: {} diff --git a/common/lib/common-utils/package.json b/common/lib/common-utils/package.json index 4edf463203db..9aee83cbf1ad 100644 --- a/common/lib/common-utils/package.json +++ b/common/lib/common-utils/package.json @@ -160,7 +160,8 @@ "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies entirely via pnpm overrides. This helps reduce lockfile churn since the deps release very frequently.", "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "js-yaml@<4": "^3.14.2", @@ -170,7 +171,8 @@ "oclif>@aws-sdk/client-s3": "-", "qs": "^6.15.0", "simple-git": "^3.32.3", - "sharp": "^0.33.2" + "sharp": "^0.33.2", + "tar": ">=7.5.11" }, "patchedDependencies": { "@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch" diff --git a/common/lib/common-utils/pnpm-lock.yaml b/common/lib/common-utils/pnpm-lock.yaml index 022d09c1ce69..d2db64859058 100644 --- a/common/lib/common-utils/pnpm-lock.yaml +++ b/common/lib/common-utils/pnpm-lock.yaml @@ -13,6 +13,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.33.2 + tar: '>=7.5.11' patchedDependencies: '@microsoft/api-extractor@7.52.11': @@ -762,6 +763,10 @@ packages: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} engines: {node: '>=12'} + '@isaacs/fs-minipass@4.0.1': + resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==} + engines: {node: '>=18.0.0'} + '@istanbuljs/load-nyc-config@1.1.0': resolution: {integrity: sha512-VjeHSlIzpv/NyD3N0YuHfXOPDIixcA1q2ZV98wsMqcYlPmv2n3Yb2lYP9XMElnaFVXg5A7YLTeLu6V84uQDjmQ==} engines: {node: '>=8'} @@ -2016,6 +2021,10 @@ packages: resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} engines: {node: '>=10'} + chownr@3.0.0: + resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} + engines: {node: '>=18'} + chrome-trace-event@1.0.3: resolution: {integrity: sha512-p3KULyQg4S7NIHixdwbGX+nFHkoBiA4YQmyWtjb8XngSKV124nJmRysgAeujbUVb15vh+RvFUfCPqU7rXk+hZg==} engines: {node: '>=6.0'} @@ -4210,6 +4219,10 @@ packages: resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} engines: {node: '>= 8'} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} + engines: {node: '>= 18'} + mitt@3.0.1: resolution: {integrity: sha512-vKivATfr97l2/QBCYAkXYDbrIWPM2IIKEl7YPhjCvKlG3kE2gm+uBo6nEXK3M5/Ffh/FLpKExzOQ3JJoJGFKBw==} @@ -5343,10 +5356,9 @@ packages: tar-stream@3.1.7: resolution: {integrity: sha512-qJj60CXt7IU1Ffyc3NJMjh6EkuCFej46zUqJ4J7pqYlThyd9bO0XBTmcOIhSzZJVWfsLks0+nle/j538YAW9RQ==} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} - deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} + engines: {node: '>=18'} terser-webpack-plugin@5.3.15: resolution: {integrity: sha512-PGkOdpRFK+rb1TzVz+msVhw4YMRT9txLF4kRqvJhGhCM324xuR3REBSHALN+l+sAhKUmz0aotnjp5D+P83mLhQ==} @@ -5861,6 +5873,10 @@ packages: yallist@4.0.0: resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + yallist@5.0.0: + resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} + engines: {node: '>=18'} + yaml@2.8.2: resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==} engines: {node: '>= 14.6'} @@ -6693,6 +6709,10 @@ snapshots: wrap-ansi: 8.1.0 wrap-ansi-cjs: wrap-ansi@7.0.0 + '@isaacs/fs-minipass@4.0.1': + dependencies: + minipass: 7.1.2 + '@istanbuljs/load-nyc-config@1.1.0': dependencies: camelcase: 5.3.1 @@ -8274,7 +8294,7 @@ snapshots: promise-inflight: 1.0.1 rimraf: 3.0.2 ssri: 9.0.1 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 2.0.1 transitivePeerDependencies: - bluebird @@ -8292,7 +8312,7 @@ snapshots: p-map: 4.0.0 promise-inflight: 1.0.1 ssri: 10.0.3 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 3.0.0 transitivePeerDependencies: - bluebird @@ -8401,6 +8421,8 @@ snapshots: chownr@2.0.0: {} + chownr@3.0.0: {} + chrome-trace-event@1.0.3: {} chromium-bidi@0.8.0(devtools-protocol@0.0.1354347): @@ -11166,6 +11188,10 @@ snapshots: minipass: 3.3.6 yallist: 4.0.0 + minizlib@3.1.0: + dependencies: + minipass: 7.1.2 + mitt@3.0.1: {} mkdirp@0.5.6: @@ -11275,7 +11301,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.7.3 - tar: 6.2.1 + tar: 7.5.11 which: 2.0.2 transitivePeerDependencies: - bluebird @@ -11597,7 +11623,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.4.0 ssri: 10.0.3 - tar: 6.2.1 + tar: 7.5.11 transitivePeerDependencies: - bluebird - supports-color @@ -12550,14 +12576,13 @@ snapshots: fast-fifo: 1.3.2 streamx: 2.22.0 - tar@6.2.1: + tar@7.5.11: dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 + '@isaacs/fs-minipass': 4.0.1 + chownr: 3.0.0 + minipass: 7.1.2 + minizlib: 3.1.0 + yallist: 5.0.0 terser-webpack-plugin@5.3.15(webpack@5.103.0): dependencies: @@ -13135,6 +13160,8 @@ snapshots: yallist@4.0.0: {} + yallist@5.0.0: {} + yaml@2.8.2: {} yargs-parser@20.2.9: {} diff --git a/common/lib/protocol-definitions/package.json b/common/lib/protocol-definitions/package.json index 165261838a70..4f65dc551294 100644 --- a/common/lib/protocol-definitions/package.json +++ b/common/lib/protocol-definitions/package.json @@ -118,7 +118,8 @@ "oclif includes some AWS-related features, but we don't use them, so we drop those transitive dependencies entirely from the dependency graph. This helps reduce lockfile churn since the deps release very frequently.", "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "onlyBuiltDependencies": [ "core-js", @@ -140,7 +141,8 @@ "oclif>@aws-sdk/client-s3": "-", "qs": "^6.15.0", "simple-git": "^3.32.3", - "sharp": "^0.33.2" + "sharp": "^0.33.2", + "tar": ">=7.5.11" }, "patchedDependencies": { "@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch" diff --git a/common/lib/protocol-definitions/pnpm-lock.yaml b/common/lib/protocol-definitions/pnpm-lock.yaml index 76344737019f..8eba14931981 100644 --- a/common/lib/protocol-definitions/pnpm-lock.yaml +++ b/common/lib/protocol-definitions/pnpm-lock.yaml @@ -12,6 +12,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.33.2 + tar: '>=7.5.11' patchedDependencies: '@microsoft/api-extractor@7.52.11': @@ -513,6 +514,10 @@ packages: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} engines: {node: '>=12'} + '@isaacs/fs-minipass@4.0.1': + resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==} + engines: {node: '>=18.0.0'} + '@jridgewell/gen-mapping@0.3.3': resolution: {integrity: sha512-HLhSWOLRi875zjjMG/r+Nv0oCW8umGb0BgEhyX3dDX3egwZtB8PqLnjz3yedt8R5StBrzcg4aBpnh8UA9D1BoQ==} engines: {node: '>=6.0.0'} @@ -1382,6 +1387,10 @@ packages: resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} engines: {node: '>=10'} + chownr@3.0.0: + resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} + engines: {node: '>=18'} + chrome-trace-event@1.0.3: resolution: {integrity: sha512-p3KULyQg4S7NIHixdwbGX+nFHkoBiA4YQmyWtjb8XngSKV124nJmRysgAeujbUVb15vh+RvFUfCPqU7rXk+hZg==} engines: {node: '>=6.0'} @@ -2814,6 +2823,10 @@ packages: resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} engines: {node: '>= 8'} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} + engines: {node: '>= 18'} + mkdirp@1.0.4: resolution: {integrity: sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==} engines: {node: '>=10'} @@ -3654,10 +3667,9 @@ packages: resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==} engines: {node: '>=6'} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} - deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} + engines: {node: '>=18'} terser-webpack-plugin@5.3.15: resolution: {integrity: sha512-PGkOdpRFK+rb1TzVz+msVhw4YMRT9txLF4kRqvJhGhCM324xuR3REBSHALN+l+sAhKUmz0aotnjp5D+P83mLhQ==} @@ -4019,6 +4031,10 @@ packages: yallist@4.0.0: resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + yallist@5.0.0: + resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} + engines: {node: '>=18'} + yaml@2.8.2: resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==} engines: {node: '>= 14.6'} @@ -4645,6 +4661,10 @@ snapshots: wrap-ansi: 8.1.0 wrap-ansi-cjs: wrap-ansi@7.0.0 + '@isaacs/fs-minipass@4.0.1': + dependencies: + minipass: 7.1.2 + '@jridgewell/gen-mapping@0.3.3': dependencies: '@jridgewell/set-array': 1.1.2 @@ -5665,7 +5685,7 @@ snapshots: promise-inflight: 1.0.1 rimraf: 3.0.2 ssri: 9.0.1 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 2.0.1 transitivePeerDependencies: - bluebird @@ -5682,7 +5702,7 @@ snapshots: minipass-pipeline: 1.2.4 p-map: 4.0.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 3.0.0 cacheable-lookup@7.0.0: {} @@ -5769,6 +5789,8 @@ snapshots: chownr@2.0.0: {} + chownr@3.0.0: {} + chrome-trace-event@1.0.3: {} ci-info@3.8.0: {} @@ -7412,6 +7434,10 @@ snapshots: minipass: 3.3.6 yallist: 4.0.0 + minizlib@3.1.0: + dependencies: + minipass: 7.1.2 + mkdirp@1.0.4: {} mkdirp@3.0.1: {} @@ -7477,7 +7503,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.7.3 - tar: 6.2.1 + tar: 7.5.11 which: 2.0.2 transitivePeerDependencies: - bluebird @@ -7727,7 +7753,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.4.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 transitivePeerDependencies: - bluebird - supports-color @@ -8381,14 +8407,13 @@ snapshots: tapable@2.3.0: {} - tar@6.2.1: + tar@7.5.11: dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 + '@isaacs/fs-minipass': 4.0.1 + chownr: 3.0.0 + minipass: 7.1.2 + minizlib: 3.1.0 + yallist: 5.0.0 terser-webpack-plugin@5.3.15(webpack@5.103.0): dependencies: @@ -8754,6 +8779,8 @@ snapshots: yallist@4.0.0: {} + yallist@5.0.0: {} + yaml@2.8.2: {} yargs-parser@20.2.9: {} diff --git a/package.json b/package.json index 1c4d326cf28a..db0555a66888 100644 --- a/package.json +++ b/package.json @@ -378,7 +378,7 @@ "oclif>@aws-sdk/client-cloudfront": "-", "oclif>@aws-sdk/client-s3": "-", "axios@<0.30.0": "^0.30.0", - "tar": ">=7.5.7" + "tar": ">=7.5.11" }, "peerDependencyComments": [ "The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't seem to be maintained and it works fine with React 18. TODO: AB#18876", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 0148c2795917..68908148d73b 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -32,7 +32,7 @@ overrides: oclif>@aws-sdk/client-cloudfront: '-' oclif>@aws-sdk/client-s3: '-' axios@<0.30.0: ^0.30.0 - tar: '>=7.5.7' + tar: '>=7.5.11' pnpmfileChecksum: sha256-UgK94jvekjDphs6M2itZJZ9CcCzYY0xcxZhNXJw7D28= @@ -2155,115 +2155,6 @@ importers: specifier: ^6.0.1 version: 6.0.1 - examples/benchmarks/odspsnapshotfetch-perftestapp: - dependencies: - '@fluidframework/core-utils': - specifier: workspace:~ - version: link:../../../packages/common/core-utils - '@fluidframework/driver-definitions': - specifier: workspace:~ - version: link:../../../packages/common/driver-definitions - '@fluidframework/driver-utils': - specifier: workspace:~ - version: link:../../../packages/loader/driver-utils - '@fluidframework/odsp-doclib-utils': - specifier: workspace:~ - version: link:../../../packages/utils/odsp-doclib-utils - '@fluidframework/odsp-driver': - specifier: workspace:~ - version: link:../../../packages/drivers/odsp-driver - '@fluidframework/odsp-urlresolver': - specifier: workspace:~ - version: link:../../../packages/drivers/odsp-urlResolver - '@fluidframework/telemetry-utils': - specifier: workspace:~ - version: link:../../../packages/utils/telemetry-utils - '@fluidframework/tool-utils': - specifier: workspace:~ - version: link:../../../packages/utils/tool-utils - express: - specifier: ^4.21.2 - version: 4.21.2 - webpack-dev-server: - specifier: ~4.15.2 - version: 4.15.2(webpack-cli@5.1.4)(webpack@5.103.0) - devDependencies: - '@biomejs/biome': - specifier: ~2.4.5 - version: 2.4.5 - '@fluid-tools/build-cli': - specifier: catalog:buildTools - version: 0.63.0(@types/node@20.19.30)(encoding@0.1.13)(webpack-cli@5.1.4) - '@fluidframework/build-common': - specifier: ^2.0.3 - version: 2.0.3 - '@fluidframework/build-tools': - specifier: catalog:buildTools - version: 0.63.0(@types/node@20.19.30) - '@fluidframework/eslint-config-fluid': - specifier: workspace:~ - version: link:../../../common/build/eslint-config-fluid - '@types/express': - specifier: ^4.17.21 - version: 4.17.21 - '@types/fs-extra': - specifier: ^9.0.11 - version: 9.0.13 - '@types/node': - specifier: ~20.19.30 - version: 20.19.30 - '@types/webpack-hot-middleware': - specifier: ^2.25.9 - version: 2.25.9(webpack-cli@5.1.4) - buffer: - specifier: ^6.0.3 - version: 6.0.3 - c8: - specifier: ^10.1.3 - version: 10.1.3 - css-loader: - specifier: ^7.1.2 - version: 7.1.2(webpack@5.103.0) - eslint: - specifier: ~9.39.1 - version: 9.39.1(jiti@2.6.1) - fs-extra: - specifier: ^9.1.0 - version: 9.1.0 - jiti: - specifier: ^2.6.1 - version: 2.6.1 - rimraf: - specifier: ^6.1.3 - version: 6.1.3 - source-map-loader: - specifier: ^5.0.0 - version: 5.0.0(webpack@5.103.0) - style-loader: - specifier: ^4.0.0 - version: 4.0.0(webpack@5.103.0) - ts-loader: - specifier: ^9.5.1 - version: 9.5.1(typescript@5.4.5)(webpack@5.103.0) - typescript: - specifier: ~5.4.5 - version: 5.4.5 - webpack: - specifier: ^5.94.0 - version: 5.103.0(webpack-cli@5.1.4) - webpack-cli: - specifier: ^5.1.4 - version: 5.1.4(webpack-dev-server@4.15.2)(webpack@5.103.0) - webpack-dev-middleware: - specifier: ^7.1.1 - version: 7.4.2(webpack@5.103.0) - webpack-hot-middleware: - specifier: ^2.25.3 - version: 2.26.1 - webpack-merge: - specifier: ^6.0.1 - version: 6.0.1 - examples/benchmarks/tablebench: dependencies: '@fluid-internal/client-utils': @@ -19266,24 +19157,6 @@ packages: '@json2csv/plainjs@7.0.6': resolution: {integrity: sha512-4Md7RPDCSYpmW1HWIpWBOqCd4vWfIqm53S3e/uzQ62iGi7L3r34fK/8nhOMEe+/eVfCx8+gdSCt1d74SlacQHw==} - '@jsonjoy.com/base64@1.1.2': - resolution: {integrity: sha512-q6XAnWQDIMA3+FTiOYajoYqySkO+JSat0ytXGSuRdq9uXE7o92gzuQwQM14xaCRlBLGq3v5miDGC4vkVTn54xA==} - engines: {node: '>=10.0'} - peerDependencies: - tslib: '2' - - '@jsonjoy.com/json-pack@1.1.1': - resolution: {integrity: sha512-osjeBqMJ2lb/j/M8NCPjs1ylqWIcTRTycIhVB5pt6LgzgeRSb0YRZ7j9RfA8wIUrsr/medIuhVyonXRZWLyfdw==} - engines: {node: '>=10.0'} - peerDependencies: - tslib: '2' - - '@jsonjoy.com/util@1.5.0': - resolution: {integrity: sha512-ojoNsrIuPI9g6o8UxhraZQSyF2ByJanAY4cTFbc8Mf2AXEF4aQRGY1dJxyJpuyav8r9FGflEt/Ff3u5Nt6YMPA==} - engines: {node: '>=10.0'} - peerDependencies: - tslib: '2' - '@juggle/resize-observer@3.4.0': resolution: {integrity: sha512-dfLbk+PwWvFzSxwk3n5ySL0hfBog779o8h68wK/7/APo/7cgyWp5jcXockbxdk5kFRkbeXWm4Fbi9FrdN381sA==} @@ -20388,9 +20261,6 @@ packages: '@types/valid-url@1.0.7': resolution: {integrity: sha512-tgsWVG80dM5PVEBSbXUttPJTBCOo0IKbBh4R4z/SHsC5C81A3aaUH4fsbj+JYk7fopApU/Mao1c0EWTE592TSg==} - '@types/webpack-hot-middleware@2.25.9': - resolution: {integrity: sha512-fad4T9VfocBjS2fZxlqkGoXoVUAjVp0EEnKBRqPwnhEEDN/FqJoFkSP5t9O1gPH75qsyG2kkT/GSUqSNTn1ZPg==} - '@types/wrap-ansi@3.0.0': resolution: {integrity: sha512-ltIpx+kM7g/MLRZfkbL7EsCEjfzCcScLpkg37eXEtx5kmrAKBkTJwd1GIAjDSL8wTpM6Hzn5YO4pSb91BEwu1g==} @@ -23509,10 +23379,6 @@ packages: humanize-ms@1.2.1: resolution: {integrity: sha512-Fl70vYtsAFb/C06PTS9dZBo7ihau+Tu/DNCk/OyHhea07S+aeMWpFFkUaXRa8fI+ScZbEI8dfSxwY7gxZ9SAVQ==} - hyperdyperid@1.2.0: - resolution: {integrity: sha512-Y93lCzHYgGWdrJ66yIktxiaGULYc6oGiABxhcO5AufBeOyoIdZF7bIfLaOrbM0iGIOXQQgxxRrFEnb+Y6w1n4A==} - engines: {node: '>=10.18'} - hyperlinker@1.0.0: resolution: {integrity: sha512-Ty8UblRWFEcfSuIaajM34LdPXIhbs1ajEX/BBPv24J+enSVaEVY63xQ6lTO9VRYS5LAoghIG0IDJ+p+IPzKUQQ==} engines: {node: '>=4'} @@ -24795,10 +24661,6 @@ packages: resolution: {integrity: sha512-UERzLsxzllchadvbPs5aolHh65ISpKpM+ccLbOJ8/vvpBKmAWf+la7dXFy7Mr0ySHbdHrFv5kGFCUHHe6GFEmw==} engines: {node: '>= 4.0.0'} - memfs@4.15.0: - resolution: {integrity: sha512-q9MmZXd2rRWHS6GU3WEm3HyiXZyyoA1DqdOhEq0lxPBmKb5S7IAOwX0RgUCwJfqjelDCySa5h8ujOy24LqsWcw==} - engines: {node: '>= 4.0.0'} - memoize@10.2.0: resolution: {integrity: sha512-DeC6b7QBrZsRs3Y02A6A7lQyzFbsQbqgjI6UW0GigGWV+u1s25TycMr0XHZE4cJce7rY/vyw2ctMQqfDkIhUEA==} engines: {node: '>=18'} @@ -27274,8 +27136,8 @@ packages: tar-stream@3.1.7: resolution: {integrity: sha512-qJj60CXt7IU1Ffyc3NJMjh6EkuCFej46zUqJ4J7pqYlThyd9bO0XBTmcOIhSzZJVWfsLks0+nle/j538YAW9RQ==} - tar@7.5.7: - resolution: {integrity: sha512-fov56fJiRuThVFXD6o6/Q354S7pnWMJIVlDBYijsTNx6jKSE4pvrDTs6lUnmGvNyfJwFQQwWy3owKz1ucIhveQ==} + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} engines: {node: '>=18'} temp@0.9.4: @@ -27332,12 +27194,6 @@ packages: thenify@3.3.1: resolution: {integrity: sha512-RVZSIV5IG10Hk3enotrhvz0T9em6cyHBLkH/YAZuKqd8hRkKhSfCGIcP2KUY0EPxndzANBmNllzWPwak+bheSw==} - thingies@1.21.0: - resolution: {integrity: sha512-hsqsJsFMsV+aD4s3CWKk85ep/3I9XzYV/IXaSouJMYIoDlgyi11cBhsqYe9/geRfB0YIikBQg6raRaM+nIMP9g==} - engines: {node: '>=10.18'} - peerDependencies: - tslib: ^2 - through2@2.0.5: resolution: {integrity: sha512-/mrRod8xqpA+IHSLyGCQ2s8SPHiCDEeQJSep1jqLYeEUClOFG2Qsh+4FU6G9VeqpZnGW/Su8LQGc4YKni5rYSQ==} @@ -27435,12 +27291,6 @@ packages: traverse@0.6.6: resolution: {integrity: sha512-kdf4JKs8lbARxWdp7RKdNzoJBhGUcIalSYibuGyHJbmk40pOysQ0+QPvlkCOICOivDWU2IJo2rkrxyTK2AH4fw==} - tree-dump@1.0.2: - resolution: {integrity: sha512-dpev9ABuLWdEubk+cIaI9cHwRNNDjkBBLXTwI4UCUFdQ5xXKqNXoK4FEciw/vxf+NQ7Cb7sGUyeUtORvHIdRXQ==} - engines: {node: '>=10.0'} - peerDependencies: - tslib: '2' - tree-kill@1.2.2: resolution: {integrity: sha512-L0Orpi8qGpRG//Nd+H90vFB+3iHnue1zSSGmNOOCh1GLJ7rUKVwV2HvijphGQS2UmhUZewS9VgvxYIdgr+fG1A==} hasBin: true @@ -28051,15 +27901,6 @@ packages: peerDependencies: webpack: ^4.0.0 || ^5.0.0 - webpack-dev-middleware@7.4.2: - resolution: {integrity: sha512-xOO8n6eggxnwYpy1NlzUKpvrjfJTvae5/D6WOK0S2LSo7vjmo5gCM1DbLUmFqrMTJP+W/0YZNctm7jasWvLuBA==} - engines: {node: '>= 18.12.0'} - peerDependencies: - webpack: ^5.0.0 - peerDependenciesMeta: - webpack: - optional: true - webpack-dev-server@4.15.2: resolution: {integrity: sha512-0XavAZbNJ5sDrCbkpWL8mia0o5WPOd2YGtxrEiZkBK9FjLppIUK2TgxK6qGD2P3hUXTJNNPVibrerKcx5WkR1g==} engines: {node: '>= 12.13.0'} @@ -28073,9 +27914,6 @@ packages: webpack-cli: optional: true - webpack-hot-middleware@2.26.1: - resolution: {integrity: sha512-khZGfAeJx6I8K9zKohEWWYN6KDlVw2DHownoe+6Vtwj1LP9WFgegXnVMSkZ/dBEBtXFwrkkydsaPFlB7f8wU2A==} - webpack-merge@5.10.0: resolution: {integrity: sha512-+4zXKdx7UnO+1jaN4l2lHVD+mFvnlZQP/6ljaJVb4SZiwIKeUnrT5l0gkT8z+n4hKpC+jpOv6O9R+gLtag7pSA==} engines: {node: '>=10.0.0'} @@ -32546,22 +32384,6 @@ snapshots: '@json2csv/formatters': 7.0.6 '@streamparser/json': 0.0.20 - '@jsonjoy.com/base64@1.1.2(tslib@2.8.1)': - dependencies: - tslib: 2.8.1 - - '@jsonjoy.com/json-pack@1.1.1(tslib@2.8.1)': - dependencies: - '@jsonjoy.com/base64': 1.1.2(tslib@2.8.1) - '@jsonjoy.com/util': 1.5.0(tslib@2.8.1) - hyperdyperid: 1.2.0 - thingies: 1.21.0(tslib@2.8.1) - tslib: 2.8.1 - - '@jsonjoy.com/util@1.5.0(tslib@2.8.1)': - dependencies: - tslib: 2.8.1 - '@juggle/resize-observer@3.4.0': {} '@kwsites/file-exists@1.1.1': @@ -33978,17 +33800,6 @@ snapshots: '@types/valid-url@1.0.7': {} - '@types/webpack-hot-middleware@2.25.9(webpack-cli@5.1.4)': - dependencies: - '@types/connect': 3.4.38 - tapable: 2.3.0 - webpack: 5.103.0(webpack-cli@5.1.4) - transitivePeerDependencies: - - '@swc/core' - - esbuild - - uglify-js - - webpack-cli - '@types/wrap-ansi@3.0.0': {} '@types/ws@6.0.4': @@ -34284,7 +34095,7 @@ snapshots: dependencies: axios: 1.13.5(debug@4.4.3) rimraf: 5.0.10 - tar: 7.5.7 + tar: 7.5.11 unzipper: 0.10.14 transitivePeerDependencies: - debug @@ -35058,7 +34869,7 @@ snapshots: promise-inflight: 1.0.1 rimraf: 3.0.2 ssri: 9.0.1 - tar: 7.5.7 + tar: 7.5.11 unique-filename: 2.0.1 transitivePeerDependencies: - bluebird @@ -35075,7 +34886,7 @@ snapshots: minipass-pipeline: 1.2.4 p-map: 4.0.0 ssri: 10.0.6 - tar: 7.5.7 + tar: 7.5.11 unique-filename: 3.0.0 cacheable-lookup@7.0.0: {} @@ -37572,8 +37383,6 @@ snapshots: dependencies: ms: 2.1.3 - hyperdyperid@1.2.0: {} - hyperlinker@1.0.0: {} iconv-lite@0.4.24: @@ -39254,13 +39063,6 @@ snapshots: dependencies: fs-monkey: 1.1.0 - memfs@4.15.0: - dependencies: - '@jsonjoy.com/json-pack': 1.1.1(tslib@2.8.1) - '@jsonjoy.com/util': 1.5.0(tslib@2.8.1) - tree-dump: 1.0.2(tslib@2.8.1) - tslib: 2.8.1 - memoize@10.2.0: dependencies: mimic-function: 5.0.1 @@ -39909,7 +39711,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.7.3 - tar: 7.5.7 + tar: 7.5.11 which: 2.0.2 transitivePeerDependencies: - bluebird @@ -40332,7 +40134,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.9.0 ssri: 10.0.6 - tar: 7.5.7 + tar: 7.5.11 transitivePeerDependencies: - bluebird - supports-color @@ -42401,7 +42203,7 @@ snapshots: fast-fifo: 1.3.2 streamx: 2.21.0 - tar@7.5.7: + tar@7.5.11: dependencies: '@isaacs/fs-minipass': 4.0.1 chownr: 3.0.0 @@ -42472,10 +42274,6 @@ snapshots: dependencies: any-promise: 1.3.0 - thingies@1.21.0(tslib@2.8.1): - dependencies: - tslib: 2.8.1 - through2@2.0.5: dependencies: readable-stream: 2.3.8 @@ -42607,10 +42405,6 @@ snapshots: traverse@0.6.6: {} - tree-dump@1.0.2(tslib@2.8.1): - dependencies: - tslib: 2.8.1 - tree-kill@1.2.2: {} triple-beam@1.4.1: {} @@ -43338,17 +43132,6 @@ snapshots: schema-utils: 4.3.3 webpack: 5.103.0(webpack-cli@5.1.4) - webpack-dev-middleware@7.4.2(webpack@5.103.0): - dependencies: - colorette: 2.0.20 - memfs: 4.15.0 - mime-types: 2.1.35 - on-finished: 2.4.1 - range-parser: 1.2.1 - schema-utils: 4.3.3 - optionalDependencies: - webpack: 5.103.0(webpack-cli@5.1.4) - webpack-dev-server@4.15.2(debug@4.4.3)(webpack-cli@5.1.4)(webpack@5.103.0): dependencies: '@types/bonjour': 3.5.13 @@ -43431,12 +43214,6 @@ snapshots: - supports-color - utf-8-validate - webpack-hot-middleware@2.26.1: - dependencies: - ansi-html-community: 0.0.8 - html-entities: 2.6.0 - strip-ansi: 6.0.1 - webpack-merge@5.10.0: dependencies: clone-deep: 4.0.1 diff --git a/server/gitrest/package.json b/server/gitrest/package.json index fd5297e4f973..863bcace2a4b 100644 --- a/server/gitrest/package.json +++ b/server/gitrest/package.json @@ -82,7 +82,8 @@ "oclif includes some AWS-related features, but we don't use them, so we drop those dependencies entirely via overrides. This helps reduce lockfile churn since the deps release very frequently.", "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@fluidframework/eslint-config-fluid": "link:../../common/build/eslint-config-fluid", @@ -96,7 +97,8 @@ "js-yaml@>=4": "^4.1.1", "qs": "^6.15.0", "simple-git": "^3.32.3", - "sharp": "^0.33.2" + "sharp": "^0.33.2", + "tar": ">=7.5.11" }, "onlyBuiltDependencies": [ "core-js", diff --git a/server/gitrest/pnpm-lock.yaml b/server/gitrest/pnpm-lock.yaml index dc1ba1ea613f..f3caa6fbd173 100644 --- a/server/gitrest/pnpm-lock.yaml +++ b/server/gitrest/pnpm-lock.yaml @@ -17,6 +17,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.33.2 + tar: '>=7.5.11' importers: @@ -843,6 +844,10 @@ packages: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} engines: {node: '>=12'} + '@isaacs/fs-minipass@4.0.1': + resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==} + engines: {node: '>=18.0.0'} + '@istanbuljs/schema@0.1.3': resolution: {integrity: sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==} engines: {node: '>=8'} @@ -1741,6 +1746,10 @@ packages: resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} engines: {node: '>=10'} + chownr@3.0.0: + resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} + engines: {node: '>=18'} + chrome-trace-event@1.0.3: resolution: {integrity: sha512-p3KULyQg4S7NIHixdwbGX+nFHkoBiA4YQmyWtjb8XngSKV124nJmRysgAeujbUVb15vh+RvFUfCPqU7rXk+hZg==} engines: {node: '>=6.0'} @@ -3508,6 +3517,10 @@ packages: resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} engines: {node: '>= 8'} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} + engines: {node: '>= 18'} + mkdirp@1.0.4: resolution: {integrity: sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==} engines: {node: '>=10'} @@ -4525,10 +4538,9 @@ packages: resolution: {integrity: sha512-g9ljZiwki/LfxmQADO3dEY1CbpmXT5Hm2fJ+QaGKwSXUylMybePR7/67YW7jOrrvjEgL1Fmz5kzyAjWVWLlucg==} engines: {node: '>=6'} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} - deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} + engines: {node: '>=18'} terser-webpack-plugin@5.3.15: resolution: {integrity: sha512-PGkOdpRFK+rb1TzVz+msVhw4YMRT9txLF4kRqvJhGhCM324xuR3REBSHALN+l+sAhKUmz0aotnjp5D+P83mLhQ==} @@ -4959,6 +4971,10 @@ packages: yallist@4.0.0: resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + yallist@5.0.0: + resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} + engines: {node: '>=18'} + yaml@2.8.2: resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==} engines: {node: '>= 14.6'} @@ -5731,6 +5747,10 @@ snapshots: wrap-ansi: 8.1.0 wrap-ansi-cjs: wrap-ansi@7.0.0 + '@isaacs/fs-minipass@4.0.1': + dependencies: + minipass: 7.1.2 + '@istanbuljs/schema@0.1.3': {} '@jridgewell/gen-mapping@0.3.3': @@ -6726,7 +6746,7 @@ snapshots: promise-inflight: 1.0.1 rimraf: 3.0.2 ssri: 9.0.1 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 2.0.1 transitivePeerDependencies: - bluebird @@ -6744,7 +6764,7 @@ snapshots: p-map: 4.0.0 promise-inflight: 1.0.1 ssri: 10.0.1 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 3.0.0 transitivePeerDependencies: - bluebird @@ -6847,6 +6867,8 @@ snapshots: chownr@2.0.0: {} + chownr@3.0.0: {} + chrome-trace-event@1.0.3: {} ci-info@3.9.0: {} @@ -8832,6 +8854,10 @@ snapshots: minipass: 3.3.6 yallist: 4.0.0 + minizlib@3.1.0: + dependencies: + minipass: 7.1.2 + mkdirp@1.0.4: {} mkdirp@3.0.1: {} @@ -8949,7 +8975,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.7.4 - tar: 6.2.1 + tar: 7.5.11 which: 2.0.2 transitivePeerDependencies: - bluebird @@ -9238,7 +9264,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.7.0 ssri: 10.0.1 - tar: 6.2.1 + tar: 7.5.11 transitivePeerDependencies: - bluebird - supports-color @@ -10042,14 +10068,13 @@ snapshots: tapable@2.3.0: {} - tar@6.2.1: + tar@7.5.11: dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 + '@isaacs/fs-minipass': 4.0.1 + chownr: 3.0.0 + minipass: 7.1.2 + minizlib: 3.1.0 + yallist: 5.0.0 terser-webpack-plugin@5.3.15(webpack@5.103.0): dependencies: @@ -10488,6 +10513,8 @@ snapshots: yallist@4.0.0: {} + yallist@5.0.0: {} + yaml@2.8.2: {} yargs-parser@20.2.9: {} diff --git a/server/historian/package.json b/server/historian/package.json index 4ab2cef11e5b..70ca94952ca7 100644 --- a/server/historian/package.json +++ b/server/historian/package.json @@ -74,7 +74,8 @@ "eslint is overridden to v9 for flat config support across all packages", "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@fluidframework/eslint-config-fluid": "link:../../common/build/eslint-config-fluid", @@ -90,6 +91,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "socket.io-parser": "^4.2.4", + "tar": ">=7.5.11", "sharp": "^0.33.2" }, "onlyBuiltDependencies": [ diff --git a/server/historian/pnpm-lock.yaml b/server/historian/pnpm-lock.yaml index 1067e15d0b7e..eeb9a36bff61 100644 --- a/server/historian/pnpm-lock.yaml +++ b/server/historian/pnpm-lock.yaml @@ -18,6 +18,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 socket.io-parser: ^4.2.4 + tar: '>=7.5.11' sharp: ^0.33.2 importers: @@ -813,6 +814,10 @@ packages: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} engines: {node: '>=12'} + '@isaacs/fs-minipass@4.0.1': + resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==} + engines: {node: '>=18.0.0'} + '@istanbuljs/schema@0.1.3': resolution: {integrity: sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==} engines: {node: '>=8'} @@ -1797,6 +1802,10 @@ packages: resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} engines: {node: '>=10'} + chownr@3.0.0: + resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} + engines: {node: '>=18'} + chrome-trace-event@1.0.3: resolution: {integrity: sha512-p3KULyQg4S7NIHixdwbGX+nFHkoBiA4YQmyWtjb8XngSKV124nJmRysgAeujbUVb15vh+RvFUfCPqU7rXk+hZg==} engines: {node: '>=6.0'} @@ -3644,6 +3653,10 @@ packages: resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} engines: {node: '>= 8'} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} + engines: {node: '>= 18'} + mkdirp@0.5.6: resolution: {integrity: sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==} hasBin: true @@ -4784,10 +4797,9 @@ packages: resolution: {integrity: sha512-rzS0heiNf8Xn7/mpdSVVSMAWAoy9bfb1WOTYC78Z0UQKeKa/CWS8FOq0lKGNa8DWKAn9gxjCvMLYc5PGXYlK2A==} engines: {node: '>= 0.8.0'} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} - deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} + engines: {node: '>=18'} telegrafjs@0.1.3: resolution: {integrity: sha512-OdLXhCp8yxXz9uY8xH5q55COtU89eOAwVZStcGJU1CLDsDnC7ON12I5cHJaaXvSfTaP309eh7IGsY72Q0hGrww==} @@ -5235,6 +5247,10 @@ packages: yallist@4.0.0: resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + yallist@5.0.0: + resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} + engines: {node: '>=18'} + yaml@2.8.2: resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==} engines: {node: '>= 14.6'} @@ -6086,6 +6102,10 @@ snapshots: wrap-ansi: 8.1.0 wrap-ansi-cjs: wrap-ansi@7.0.0 + '@isaacs/fs-minipass@4.0.1': + dependencies: + minipass: 7.1.2 + '@istanbuljs/schema@0.1.3': {} '@jridgewell/gen-mapping@0.3.3': @@ -7186,7 +7206,7 @@ snapshots: promise-inflight: 1.0.1 rimraf: 3.0.2 ssri: 9.0.1 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 2.0.1 transitivePeerDependencies: - bluebird @@ -7203,7 +7223,7 @@ snapshots: minipass-pipeline: 1.2.4 p-map: 4.0.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 3.0.0 cacheable-lookup@7.0.0: {} @@ -7311,6 +7331,8 @@ snapshots: chownr@2.0.0: {} + chownr@3.0.0: {} + chrome-trace-event@1.0.3: {} ci-info@3.8.0: {} @@ -9401,6 +9423,10 @@ snapshots: minipass: 3.3.6 yallist: 4.0.0 + minizlib@3.1.0: + dependencies: + minipass: 7.1.2 + mkdirp@0.5.6: dependencies: minimist: 1.2.8 @@ -9550,7 +9576,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.7.3 - tar: 6.2.1 + tar: 7.5.11 which: 2.0.2 transitivePeerDependencies: - bluebird @@ -9851,7 +9877,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.4.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 transitivePeerDependencies: - bluebird - supports-color @@ -10773,14 +10799,13 @@ snapshots: to-buffer: 1.2.1 xtend: 4.0.2 - tar@6.2.1: + tar@7.5.11: dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 + '@isaacs/fs-minipass': 4.0.1 + chownr: 3.0.0 + minipass: 7.1.2 + minizlib: 3.1.0 + yallist: 5.0.0 telegrafjs@0.1.3: {} @@ -11243,6 +11268,8 @@ snapshots: yallist@4.0.0: {} + yallist@5.0.0: {} + yaml@2.8.2: {} yargs-parser@20.2.9: {} diff --git a/server/routerlicious/package.json b/server/routerlicious/package.json index 30adc5235293..5e1dcc8da150 100644 --- a/server/routerlicious/package.json +++ b/server/routerlicious/package.json @@ -152,7 +152,8 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.", - "simple-git: overridden to ^3.32.3 to resolve a CG alert." + "simple-git: overridden to ^3.32.3 to resolve a CG alert.", + "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@typescript-eslint/tsconfig-utils": "8.52.0", @@ -181,6 +182,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "systeminformation": "^5.31.0", + "tar": ">=7.5.11", "socket.io-parser": "^4.2.4", "zookeeper": "^7.2.0" }, diff --git a/server/routerlicious/pnpm-lock.yaml b/server/routerlicious/pnpm-lock.yaml index 24335963e35e..fa2b138da309 100644 --- a/server/routerlicious/pnpm-lock.yaml +++ b/server/routerlicious/pnpm-lock.yaml @@ -31,6 +31,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 systeminformation: ^5.31.0 + tar: '>=7.5.11' socket.io-parser: ^4.2.4 zookeeper: ^7.2.0 @@ -2822,6 +2823,10 @@ packages: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} engines: {node: '>=12'} + '@isaacs/fs-minipass@4.0.1': + resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==} + engines: {node: '>=18.0.0'} + '@istanbuljs/schema@0.1.3': resolution: {integrity: sha512-ZXRY4jNvVgSVQ8DL3LTcakaAtXwTVUxE81hslsyD2AtoXW/wVob10HkOJ1X/pAlcI7D+2YoZKg5do8G/w6RYgA==} engines: {node: '>=8'} @@ -4368,9 +4373,9 @@ packages: chownr@1.1.4: resolution: {integrity: sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==} - chownr@2.0.0: - resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} - engines: {node: '>=10'} + chownr@3.0.0: + resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} + engines: {node: '>=18'} chrome-trace-event@1.0.3: resolution: {integrity: sha512-p3KULyQg4S7NIHixdwbGX+nFHkoBiA4YQmyWtjb8XngSKV124nJmRysgAeujbUVb15vh+RvFUfCPqU7rXk+hZg==} @@ -5415,10 +5420,6 @@ packages: resolution: {integrity: sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==} engines: {node: '>=6 <7 || >=8'} - fs-minipass@2.1.0: - resolution: {integrity: sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==} - engines: {node: '>= 8'} - fs-minipass@3.0.2: resolution: {integrity: sha512-2GAfyfoaCDRrM6jaOS3UsBts8yJ55VioXdWcOL7dK9zdAuKT71+WBA4ifnNYqVjYv+4SsPxjK0JT4yIIn4cA/g==} engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0} @@ -6762,6 +6763,10 @@ packages: resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} engines: {node: '>= 8'} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} + engines: {node: '>= 18'} + mkdirp@0.5.6: resolution: {integrity: sha512-FP+p8RB8OWpF3YZBCrP5gtADmtXApB5AMLn+vdyA+PyxCjrCs00mjyUozssO33cwDeT3wNGdLxJ5M//YqtHAJw==} hasBin: true @@ -8317,10 +8322,9 @@ packages: resolution: {integrity: sha512-rzS0heiNf8Xn7/mpdSVVSMAWAoy9bfb1WOTYC78Z0UQKeKa/CWS8FOq0lKGNa8DWKAn9gxjCvMLYc5PGXYlK2A==} engines: {node: '>= 0.8.0'} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} - deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} + engines: {node: '>=18'} telegrafjs@0.1.3: resolution: {integrity: sha512-OdLXhCp8yxXz9uY8xH5q55COtU89eOAwVZStcGJU1CLDsDnC7ON12I5cHJaaXvSfTaP309eh7IGsY72Q0hGrww==} @@ -8920,6 +8924,10 @@ packages: yallist@4.0.0: resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + yallist@5.0.0: + resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} + engines: {node: '>=18'} + yaml@2.8.2: resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==} engines: {node: '>= 14.6'} @@ -10305,6 +10313,10 @@ snapshots: wrap-ansi: 8.1.0 wrap-ansi-cjs: wrap-ansi@7.0.0 + '@isaacs/fs-minipass@4.0.1': + dependencies: + minipass: 7.1.2 + '@istanbuljs/schema@0.1.3': {} '@jridgewell/gen-mapping@0.3.13': @@ -12097,7 +12109,7 @@ snapshots: minipass-pipeline: 1.2.4 p-map: 4.0.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 unique-filename: 3.0.0 cacheable-lookup@7.0.0: {} @@ -12240,7 +12252,7 @@ snapshots: chownr@1.1.4: optional: true - chownr@2.0.0: {} + chownr@3.0.0: {} chrome-trace-event@1.0.3: {} @@ -13442,10 +13454,6 @@ snapshots: jsonfile: 4.0.0 universalify: 0.1.2 - fs-minipass@2.1.0: - dependencies: - minipass: 3.3.6 - fs-minipass@3.0.2: dependencies: minipass: 5.0.0 @@ -15018,6 +15026,10 @@ snapshots: minipass: 3.3.6 yallist: 4.0.0 + minizlib@3.1.0: + dependencies: + minipass: 7.1.2 + mkdirp@0.5.6: dependencies: minimist: 1.2.8 @@ -15215,7 +15227,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.7.3 - tar: 6.2.1 + tar: 7.5.11 which: 2.0.2 transitivePeerDependencies: - supports-color @@ -15602,7 +15614,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.6.0 ssri: 10.0.4 - tar: 6.2.1 + tar: 7.5.11 transitivePeerDependencies: - bluebird - supports-color @@ -16928,14 +16940,13 @@ snapshots: to-buffer: 1.2.1 xtend: 4.0.2 - tar@6.2.1: + tar@7.5.11: dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 + '@isaacs/fs-minipass': 4.0.1 + chownr: 3.0.0 + minipass: 7.1.2 + minizlib: 3.1.0 + yallist: 5.0.0 telegrafjs@0.1.3: {} @@ -17598,6 +17609,8 @@ snapshots: yallist@4.0.0: {} + yallist@5.0.0: {} + yaml@2.8.2: {} yargs-parser@20.2.9: {} From a411603724ff1fb3359373281fc80d777e26fb0a Mon Sep 17 00:00:00 2001 From: Frank Mueller Date: Wed, 11 Mar 2026 16:11:14 -0700 Subject: [PATCH 2/5] Update test fixture lockfile to remove js-yaml 3.14.1 CG was scanning this test data lockfile and flagging the vulnerable js-yaml 3.14.1 version. Updated references to 3.14.2. Co-Authored-By: Claude Opus 4.6 --- .../src/test/data/testRepo/pnpm-lock.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml b/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml index 69ee7ea35644..bde80f7f9fa8 100644 --- a/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml +++ b/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml @@ -273,8 +273,8 @@ packages: isexe@2.0.0: resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==} - js-yaml@3.14.1: - resolution: {integrity: sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==} + js-yaml@3.14.2: + resolution: {integrity: sha512-aSxBFh2VDgOBMOzcqVEGMGSjBGFDxAnAfSsEEuhGPOB24VUz7RRGXB18fUfKJGRe4Q9sXMIpOGKBsDYBM4bUXg==} hasBin: true jsonfile@4.0.0: @@ -545,7 +545,7 @@ snapshots: '@changesets/parse@0.4.0': dependencies: '@changesets/types': 6.0.0 - js-yaml: 3.14.1 + js-yaml: 3.14.2 '@changesets/pre@2.0.1': dependencies: @@ -731,7 +731,7 @@ snapshots: isexe@2.0.0: {} - js-yaml@3.14.1: + js-yaml@3.14.2: dependencies: argparse: 1.0.10 esprima: 4.0.1 @@ -796,7 +796,7 @@ snapshots: read-yaml-file@1.1.0: dependencies: graceful-fs: 4.2.11 - js-yaml: 3.14.1 + js-yaml: 3.14.2 pify: 4.0.1 strip-bom: 3.0.0 From 2cb6f31b15bc613beac47dd4c47463b99688c69a Mon Sep 17 00:00:00 2001 From: Frank Mueller Date: Wed, 11 Mar 2026 16:30:11 -0700 Subject: [PATCH 3/5] Use ^7.5.11 instead of >=7.5.11 for tar override to fix syncpack lint syncpack lint-semver-ranges in build-tools rejects >= ranges. Switch to ^ which is semantically equivalent for the 7.x line. Co-Authored-By: Claude Opus 4.6 --- build-tools/package.json | 2 +- build-tools/pnpm-lock.yaml | 2 +- common/lib/common-utils/package.json | 2 +- common/lib/common-utils/pnpm-lock.yaml | 2 +- common/lib/protocol-definitions/package.json | 2 +- common/lib/protocol-definitions/pnpm-lock.yaml | 2 +- package.json | 2 +- pnpm-lock.yaml | 2 +- server/gitrest/package.json | 2 +- server/gitrest/pnpm-lock.yaml | 2 +- server/historian/package.json | 2 +- server/historian/pnpm-lock.yaml | 2 +- server/routerlicious/package.json | 2 +- server/routerlicious/pnpm-lock.yaml | 2 +- 14 files changed, 14 insertions(+), 14 deletions(-) diff --git a/build-tools/package.json b/build-tools/package.json index 479c093d4147..ebfcc3c9fe1f 100644 --- a/build-tools/package.json +++ b/build-tools/package.json @@ -173,7 +173,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "sharp": "^0.34.5", - "tar": ">=7.5.11" + "tar": "^7.5.11" }, "updateConfig": { "ignoreDependencies": [ diff --git a/build-tools/pnpm-lock.yaml b/build-tools/pnpm-lock.yaml index 989612546fb9..11862b86e7d4 100644 --- a/build-tools/pnpm-lock.yaml +++ b/build-tools/pnpm-lock.yaml @@ -20,7 +20,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.34.5 - tar: '>=7.5.11' + tar: ^7.5.11 importers: diff --git a/common/lib/common-utils/package.json b/common/lib/common-utils/package.json index 9aee83cbf1ad..5555e2ea7ab9 100644 --- a/common/lib/common-utils/package.json +++ b/common/lib/common-utils/package.json @@ -172,7 +172,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "sharp": "^0.33.2", - "tar": ">=7.5.11" + "tar": "^7.5.11" }, "patchedDependencies": { "@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch" diff --git a/common/lib/common-utils/pnpm-lock.yaml b/common/lib/common-utils/pnpm-lock.yaml index d2db64859058..c595c011afbe 100644 --- a/common/lib/common-utils/pnpm-lock.yaml +++ b/common/lib/common-utils/pnpm-lock.yaml @@ -13,7 +13,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.33.2 - tar: '>=7.5.11' + tar: ^7.5.11 patchedDependencies: '@microsoft/api-extractor@7.52.11': diff --git a/common/lib/protocol-definitions/package.json b/common/lib/protocol-definitions/package.json index 4f65dc551294..8557290c1c7b 100644 --- a/common/lib/protocol-definitions/package.json +++ b/common/lib/protocol-definitions/package.json @@ -142,7 +142,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "sharp": "^0.33.2", - "tar": ">=7.5.11" + "tar": "^7.5.11" }, "patchedDependencies": { "@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch" diff --git a/common/lib/protocol-definitions/pnpm-lock.yaml b/common/lib/protocol-definitions/pnpm-lock.yaml index 8eba14931981..58df8550fb7a 100644 --- a/common/lib/protocol-definitions/pnpm-lock.yaml +++ b/common/lib/protocol-definitions/pnpm-lock.yaml @@ -12,7 +12,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.33.2 - tar: '>=7.5.11' + tar: ^7.5.11 patchedDependencies: '@microsoft/api-extractor@7.52.11': diff --git a/package.json b/package.json index db0555a66888..18e1ed2968d3 100644 --- a/package.json +++ b/package.json @@ -378,7 +378,7 @@ "oclif>@aws-sdk/client-cloudfront": "-", "oclif>@aws-sdk/client-s3": "-", "axios@<0.30.0": "^0.30.0", - "tar": ">=7.5.11" + "tar": "^7.5.11" }, "peerDependencyComments": [ "The react-split-pane package used by devtools-view has a peer dependency on React 16, but it doesn't seem to be maintained and it works fine with React 18. TODO: AB#18876", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 68908148d73b..c2929f72f8e6 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -32,7 +32,7 @@ overrides: oclif>@aws-sdk/client-cloudfront: '-' oclif>@aws-sdk/client-s3: '-' axios@<0.30.0: ^0.30.0 - tar: '>=7.5.11' + tar: ^7.5.11 pnpmfileChecksum: sha256-UgK94jvekjDphs6M2itZJZ9CcCzYY0xcxZhNXJw7D28= diff --git a/server/gitrest/package.json b/server/gitrest/package.json index 863bcace2a4b..901e123abdc2 100644 --- a/server/gitrest/package.json +++ b/server/gitrest/package.json @@ -98,7 +98,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "sharp": "^0.33.2", - "tar": ">=7.5.11" + "tar": "^7.5.11" }, "onlyBuiltDependencies": [ "core-js", diff --git a/server/gitrest/pnpm-lock.yaml b/server/gitrest/pnpm-lock.yaml index f3caa6fbd173..4efdd1810f52 100644 --- a/server/gitrest/pnpm-lock.yaml +++ b/server/gitrest/pnpm-lock.yaml @@ -17,7 +17,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 sharp: ^0.33.2 - tar: '>=7.5.11' + tar: ^7.5.11 importers: diff --git a/server/historian/package.json b/server/historian/package.json index 70ca94952ca7..6652a08c82d4 100644 --- a/server/historian/package.json +++ b/server/historian/package.json @@ -91,7 +91,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "socket.io-parser": "^4.2.4", - "tar": ">=7.5.11", + "tar": "^7.5.11", "sharp": "^0.33.2" }, "onlyBuiltDependencies": [ diff --git a/server/historian/pnpm-lock.yaml b/server/historian/pnpm-lock.yaml index eeb9a36bff61..e620a4213adc 100644 --- a/server/historian/pnpm-lock.yaml +++ b/server/historian/pnpm-lock.yaml @@ -18,7 +18,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 socket.io-parser: ^4.2.4 - tar: '>=7.5.11' + tar: ^7.5.11 sharp: ^0.33.2 importers: diff --git a/server/routerlicious/package.json b/server/routerlicious/package.json index 5e1dcc8da150..7adea82bdd05 100644 --- a/server/routerlicious/package.json +++ b/server/routerlicious/package.json @@ -182,7 +182,7 @@ "qs": "^6.15.0", "simple-git": "^3.32.3", "systeminformation": "^5.31.0", - "tar": ">=7.5.11", + "tar": "^7.5.11", "socket.io-parser": "^4.2.4", "zookeeper": "^7.2.0" }, diff --git a/server/routerlicious/pnpm-lock.yaml b/server/routerlicious/pnpm-lock.yaml index fa2b138da309..f88e0529c011 100644 --- a/server/routerlicious/pnpm-lock.yaml +++ b/server/routerlicious/pnpm-lock.yaml @@ -31,7 +31,7 @@ overrides: qs: ^6.15.0 simple-git: ^3.32.3 systeminformation: ^5.31.0 - tar: '>=7.5.11' + tar: ^7.5.11 socket.io-parser: ^4.2.4 zookeeper: ^7.2.0 From 7f8ae135ab15b4934c53bc88620766662a7047a7 Mon Sep 17 00:00:00 2001 From: Frank Mueller Date: Wed, 11 Mar 2026 16:46:02 -0700 Subject: [PATCH 4/5] Fix js-yaml@3.14.2 integrity hash in test fixture lockfile The integrity hash for js-yaml@3.14.2 in the test fixture was incorrect, causing pnpm install to fail during build-tools tests. Co-Authored-By: Claude Opus 4.6 --- .../build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml b/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml index bde80f7f9fa8..8761db2b2b57 100644 --- a/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml +++ b/build-tools/packages/build-infrastructure/src/test/data/testRepo/pnpm-lock.yaml @@ -274,7 +274,7 @@ packages: resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==} js-yaml@3.14.2: - resolution: {integrity: sha512-aSxBFh2VDgOBMOzcqVEGMGSjBGFDxAnAfSsEEuhGPOB24VUz7RRGXB18fUfKJGRe4Q9sXMIpOGKBsDYBM4bUXg==} + resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==} hasBin: true jsonfile@4.0.0: From 9efdf8565ff94cc799ad658789bca888cebcee3e Mon Sep 17 00:00:00 2001 From: Frank Mueller Date: Sun, 15 Mar 2026 19:55:04 -0700 Subject: [PATCH 5/5] Fix tar override comment to match actual semver range (^7.5.11) The commentsOverrides said >=7.5.11 but the actual override uses ^7.5.11. Co-Authored-By: Claude Opus 4.6 (1M context) --- build-tools/package.json | 2 +- common/lib/common-utils/package.json | 2 +- common/lib/protocol-definitions/package.json | 2 +- server/gitrest/package.json | 2 +- server/historian/package.json | 2 +- server/routerlicious/package.json | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/build-tools/package.json b/build-tools/package.json index ebfcc3c9fe1f..d914c33f796d 100644 --- a/build-tools/package.json +++ b/build-tools/package.json @@ -155,7 +155,7 @@ "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." + "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@types/glob>@types/minimatch": "~5.1.2", diff --git a/common/lib/common-utils/package.json b/common/lib/common-utils/package.json index 5555e2ea7ab9..26abec23cbda 100644 --- a/common/lib/common-utils/package.json +++ b/common/lib/common-utils/package.json @@ -161,7 +161,7 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." + "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "js-yaml@<4": "^3.14.2", diff --git a/common/lib/protocol-definitions/package.json b/common/lib/protocol-definitions/package.json index 8557290c1c7b..c71c6c47719c 100644 --- a/common/lib/protocol-definitions/package.json +++ b/common/lib/protocol-definitions/package.json @@ -119,7 +119,7 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." + "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "onlyBuiltDependencies": [ "core-js", diff --git a/server/gitrest/package.json b/server/gitrest/package.json index 901e123abdc2..127810fd8485 100644 --- a/server/gitrest/package.json +++ b/server/gitrest/package.json @@ -83,7 +83,7 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." + "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@fluidframework/eslint-config-fluid": "link:../../common/build/eslint-config-fluid", diff --git a/server/historian/package.json b/server/historian/package.json index 6652a08c82d4..55997595d353 100644 --- a/server/historian/package.json +++ b/server/historian/package.json @@ -75,7 +75,7 @@ "qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.", "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." + "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@fluidframework/eslint-config-fluid": "link:../../common/build/eslint-config-fluid", diff --git a/server/routerlicious/package.json b/server/routerlicious/package.json index 7adea82bdd05..d26173a74cf4 100644 --- a/server/routerlicious/package.json +++ b/server/routerlicious/package.json @@ -153,7 +153,7 @@ "js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).", "systeminformation: overridden to ^5.31.0 to resolve command injection vulnerabilities.", "simple-git: overridden to ^3.32.3 to resolve a CG alert.", - "tar: overridden to >=7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." + "tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)." ], "overrides": { "@typescript-eslint/tsconfig-utils": "8.52.0",