Skip to content

Deps/electron builder tar bump 2026 04#23

Merged
EraPartner merged 2 commits intomainfrom
deps/electron-builder-tar-bump-2026-04
Apr 29, 2026
Merged

Deps/electron builder tar bump 2026 04#23
EraPartner merged 2 commits intomainfrom
deps/electron-builder-tar-bump-2026-04

Conversation

@EraPartner
Copy link
Copy Markdown
Owner

@EraPartner EraPartner commented Apr 29, 2026

No description provided.

@EraPartner
docs: add CI status badge to README
13117fb
@EraPartner
chore(deps): bump electron-builder 25 -> 26 to drop vulnerable tar 6.x
8cbb1bb 
Resolves 6 GHSA-* alerts against tar@6.2.1 (path traversal, symlink
poisoning, hardlink escape, race conditions) and one against
@tootallnate/once. electron-builder 26 pulls tar@^7.5.7 transitively
and drops the http-proxy-agent chain that used @tootallnate/once.

- packaging/electron/package.json: ^25.0.0 -> ^26.0.0
- packaging/electron/package-lock.json: regenerated, tar 6.2.1 -> 7.5.13
- packaging/electron/bun.lock: kept in sync

Closes Dependabot #27, #28, #29, #30, #31, #32, #33.

npm audit reports 0 vulnerabilities post-bump.
@EraPartner EraPartner merged commit 0b535cf into main Apr 29, 2026
11 checks passed
@EraPartner EraPartner deleted the deps/electron-builder-tar-bump-2026-04 branch April 29, 2026 08:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EraPartner