High severity vulnerabilities in tar #28
Description
pnpm audit reports 3 high severity vulnerabilities in tar:
- GHSA-8qq5-rm4j-mr97 — Arbitrary File Overwrite and Symlink Poisoning (
tar<=7.5.2) - GHSA-r6q2-hw4h-h46w — Race Condition via Unicode Ligature Collisions (
tar<=7.5.3) - GHSA-34x7-hfp2-rc4v — Arbitrary File Creation/Overwrite via Hardlink Path Traversal (
tar<7.5.7)
The direct tar dependency is already at ^7.5.7, but a vulnerable tar@6.2.1 is also pulled in transitively through npm-registry-fetch@10.1.2:
npm-registry-fetch 10.1.2
└── make-fetch-happen 8.0.14
└── cacache 15.3.0
└── tar 6.2.1 ← vulnerable
Every version of cacache before v19 depends on tar@^6, so this can't be fixed by a minor update.
The fix is to upgrade npm-registry-fetch from ^10.1.0 to ^19.1.1, which brings in cacache@20 that no longer depends on tar at all. This also requires:
- Bumping
engines.nodefrom>=14to^20.17.0 || >=22.9.0(Node 14, 16, and 18 are all EOL) - Updating the
tarimport to use named exports (import { extract } from "tar"instead ofimport tar from "tar") sincetarv7 no longer has a default export