fix: update tar to >=7.5.7 to address CVE#1343
Merged
rudivanhierden merged 5 commits intomainfrom Feb 11, 2026
Merged
Conversation
Add npm override to force tar dependency to version 7.5.4 or higher, addressing CVE in tar versions before 7.5.4.
rudivanhierden
requested review from
OscarBakker and
iandebruin98
and removed request for
a team
Openstad Headless
|
||||||||||||||||||||||||||||
| Project |
Openstad Headless
|
| Branch Review |
fix/tar-vulnerability
|
| Run status |
|
| Run duration | 22m 14s |
| Commit |
|
| Committer | Rudi van Hierden |
| View all properties for this run ↗︎ | |
| Test results | |
|---|---|
Failures
|
0
|
Flaky
|
0
|
Pending
|
0
|
Skipped
|
0
|
Passing
|
67
|
| View all changes introduced in this branch ↗︎ | |
iandebruin98
approved these changes
Feb 2, 2026
rudivanhierden
changed the title
- Resolved conflict in package.json overrides section - Consolidated duplicate overrides into single section - Updated tar override to >=7.5.7 (security fix) - Added node-gyp and @isaacs/brace-expansion overrides for compatibility
rudivanhierden
force-pushed
the
fix/tar-vulnerability
branch
2 times, most recently
from
3b45a74 to
d5c058f
Compare
npm ci has been unreliable across local, CI, and Docker build environments due to lockfile mismatches. Switch to npm i which works consistently everywhere. Regenerate package-lock.json.
rudivanhierden
force-pushed
the
fix/tar-vulnerability
branch
from
d5c058f to
748d735
Compare
Vite version mismatch between local (6.x) and hoisted (7.x) caused Plugin type incompatibility during tsc. The config is only needed at Vite runtime, not as part of the library type output.
- Remove @isaacs/brace-expansion override that corrupted lock file generation - Make node-gyp override conditional (node-gyp@<10.0.0) to avoid breaking sqlite3 - Add tar@7.5.7 as direct dependency + override for security fix - Revert Dockerfile to npm ci for deterministic builds - Use npm ci --safe-chain-skip-minimum-package-age in CI and Docker to prevent safe-chain from suppressing recently-published tar@7.5.7 - Regenerate package-lock.json cleanly from main (423 lines vs 91k)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add npm override to force tar dependency to version 7.5.7 or higher. This change would lead to reproducible errors with
npm ciin either local or docker installation, so this PR opts to return to thenpm icommand for now until we can find a stable fix.