chore(deps): override tar-fs and ws to clear transitive CVEs#35
Merged
JohnRDOrazio merged 1 commit intomainfrom May 2, 2026
Merged
chore(deps): override tar-fs and ws to clear transitive CVEs#35JohnRDOrazio merged 1 commit intomainfrom
JohnRDOrazio merged 1 commit intomainfrom
Conversation
Dependabot opened four high-severity alerts on transitive dependencies
of pagedjs-cli@0.4.3 → puppeteer@^20.9.0 → @puppeteer/browsers@1.4.6:
- tar-fs@3.0.4: three vulnerabilities (CVE chain — symlink validation
bypass, extraction outside target dir, link following / path
traversal). All resolved in tar-fs 3.1.1+.
- ws@8.13.0: DoS when handling a request with many HTTP headers.
Resolved in ws 8.17.1+.
pagedjs-cli has no stable release past 0.4.3 (only 0.5.0-beta.x and
abandoned 1.0.0-alpha.x), and its puppeteer 20.x pin is end-of-life,
so dependabot can't bump these transitively. Until pagedjs-cli ships a
new stable on a current puppeteer, npm overrides force the patched
versions across the tree:
"overrides": {
"tar-fs": "^3.1.2",
"ws": "^8.18.0"
}
Verified post-override:
- npm install reports 0 vulnerabilities
- npm ls tar-fs: 3.0.4 → 3.1.2
- npm ls ws: 8.13.0 → 8.20.0
- pandoc + standalone HTML build succeeds locally
- PDF build will be validated by the Build Test workflow on this PR
Practical exploitability for our setup is low regardless: deploy uses
PUPPETEER_SKIP_DOWNLOAD=true, so tar-fs (the Chrome-tarball extractor)
is never invoked, and ws is used as a client to local Chrome's
DevTools port, not a server accepting external traffic. This change
is hygiene — silence the alerts, and don't ship a known-vulnerable
lockfile.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves all four open Dependabot security alerts (3×
tar-fs, 1×ws) by adding npmoverridesthat force patched versions of transitive deps thatpagedjs-cli@0.4.3 → puppeteer@^20.9.0 → @puppeteer/browsers@1.4.6would otherwise hold back.tar-fswsnpm installreports 0 vulnerabilities post-override.Why an upstream bump won't fix this
pagedjs-cli@0.4.3is the latest stable.0.5.0-beta.2would pull inpuppeteer@22.x(which uses safetar-fs), and1.0.0-alpha.2is abandoned with even older puppeteer.tar-fspast whatpuppeteer@20.xpermits.Practical exploitability
Low across the board, but worth fixing anyway:
PUPPETEER_SKIP_DOWNLOAD: 'true', sotar-fs(the Chrome-tarball extractor used at install time by@puppeteer/browsers) is never invoked — we use system Chrome viaPUPPETEER_EXECUTABLE_PATH.wsis used as a client to local Chrome's DevTools port; the DoS vuln is on the WebSocket server side. Not externally reachable.Test plan
Build governance docspasses on this PR (validates the PDF build still renders correctly with overridden tar-fs/ws)Future
Once
pagedjs-cliships a stable onpuppeteer@22.xor newer, drop the overrides — they'll be redundant.