From 6768fe55cd7ea4a68d529594dc67f38ee7382b15 Mon Sep 17 00:00:00 2001 From: "John R. D'Orazio" Date: Sat, 2 May 2026 05:24:45 +0200 Subject: [PATCH] chore(deps): override tar-fs and ws to clear transitive CVEs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Dependabot opened four high-severity alerts on transitive dependencies of pagedjs-cli@0.4.3 → puppeteer@^20.9.0 → @puppeteer/browsers@1.4.6: - tar-fs@3.0.4: three vulnerabilities (CVE chain — symlink validation bypass, extraction outside target dir, link following / path traversal). All resolved in tar-fs 3.1.1+. - ws@8.13.0: DoS when handling a request with many HTTP headers. Resolved in ws 8.17.1+. pagedjs-cli has no stable release past 0.4.3 (only 0.5.0-beta.x and abandoned 1.0.0-alpha.x), and its puppeteer 20.x pin is end-of-life, so dependabot can't bump these transitively. Until pagedjs-cli ships a new stable on a current puppeteer, npm overrides force the patched versions across the tree: "overrides": { "tar-fs": "^3.1.2", "ws": "^8.18.0" } Verified post-override: - npm install reports 0 vulnerabilities - npm ls tar-fs: 3.0.4 → 3.1.2 - npm ls ws: 8.13.0 → 8.20.0 - pandoc + standalone HTML build succeeds locally - PDF build will be validated by the Build Test workflow on this PR Practical exploitability for our setup is low regardless: deploy uses PUPPETEER_SKIP_DOWNLOAD=true, so tar-fs (the Chrome-tarball extractor) is never invoked, and ws is used as a client to local Chrome's DevTools port, not a server accepting external traffic. This change is hygiene — silence the alerts, and don't ship a known-vulnerable lockfile. Co-Authored-By: Claude Opus 4.7 (1M context) --- package-lock.json | 24 ++++++++++-------------- package.json | 4 ++++ 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/package-lock.json b/package-lock.json index ac90d17..0db703f 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3305,13 +3305,6 @@ "dev": true, "license": "MIT" }, - "node_modules/mkdirp-classic": { - "version": "0.5.3", - "resolved": "https://registry.npmjs.org/mkdirp-classic/-/mkdirp-classic-0.5.3.tgz", - "integrity": "sha512-gKLcREMhtuZRwRAfqP3RFW+TK4JqApVBtOIftVgjuABpAtpxhPGaDcfvbhNvD0B8iD1oUr/txX35NjcaY6Ns/A==", - "dev": true, - "license": "MIT" - }, "node_modules/ms": { "version": "2.1.3", "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz", @@ -4529,15 +4522,18 @@ } }, "node_modules/tar-fs": { - "version": "3.0.4", - "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.0.4.tgz", - "integrity": "sha512-5AFQU8b9qLfZCX9zp2duONhPmZv0hGYiBPJsyUdqMjzq/mqVpy/rEUSeHk1+YitmxugaptgBh5oDGU3VsAJq4w==", + "version": "3.1.2", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.1.2.tgz", + "integrity": "sha512-QGxxTxxyleAdyM3kpFs14ymbYmNFrfY+pHj7Z8FgtbZ7w2//VAgLMac7sT6nRpIHjppXO2AwwEOg0bPFVRcmXw==", "dev": true, "license": "MIT", "dependencies": { - "mkdirp-classic": "^0.5.2", "pump": "^3.0.0", "tar-stream": "^3.1.5" + }, + "optionalDependencies": { + "bare-fs": "^4.0.1", + "bare-path": "^3.0.0" } }, "node_modules/tar-stream": { @@ -4819,9 +4815,9 @@ "license": "ISC" }, "node_modules/ws": { - "version": "8.13.0", - "resolved": "https://registry.npmjs.org/ws/-/ws-8.13.0.tgz", - "integrity": "sha512-x9vcZYTrFPC7aSIbj7sRCYo7L/Xb8Iy+pW0ng0wt2vCJv7M9HOMy0UoN3rr+IFC7hb7vXoqS+P9ktyLLLhO+LA==", + "version": "8.20.0", + "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz", + "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==", "dev": true, "license": "MIT", "engines": { diff --git a/package.json b/package.json index 332d3f9..6a6dc3f 100644 --- a/package.json +++ b/package.json @@ -22,5 +22,9 @@ "markdownlint-cli2": "^0.22.1", "pagedjs-cli": "^0.4.3", "prettier": "^3.8.3" + }, + "overrides": { + "tar-fs": "^3.1.2", + "ws": "^8.18.0" } }