Skip to content

fix(security): Bump tar to 7.5.9 and lerna to 9.0.4 to fix CVE-2026-26960.#5825

Merged
wayfarer3130 merged 4 commits intoOHIF:release/3.12from
jbocce:fix/tar-linear-advisory-release-3.12
Feb 18, 2026
Merged

fix(security): Bump tar to 7.5.9 and lerna to 9.0.4 to fix CVE-2026-26960.#5825
wayfarer3130 merged 4 commits intoOHIF:release/3.12from
jbocce:fix/tar-linear-advisory-release-3.12

Conversation

@jbocce
Copy link
Copy Markdown
Collaborator

@jbocce jbocce commented Feb 18, 2026
edited by greptile-apps bot
Loading

Context

GHSA-83g3-92jg-28cx

Changes & Results

Bump tar to 7.5.9 and lerna to 9.0.4 to fix CVE-2026-26960.
Bump sharp to 0.34.5 to fix tar-fs vulnerabilities.

Testing

Automated tests should run.

Checklist

PR

  • My Pull Request title is descriptive, accurate and follows the
    semantic-release format and guidelines.

Code

  • My code has been well-documented (function documentation, inline comments,
    etc.)

Public Documentation Updates

  • The documentation page has been updated as necessary for any public API
    additions or removals.

Greptile Summary

This PR addresses CVE-2026-26960 (a vulnerability in the tar package) and transitive tar-fs vulnerabilities in sharp through targeted dependency bumps:

  • Adds tar@7.5.9 to root resolutions to force all transitive tar dependencies to the patched version
  • Bumps lerna from 7.4.2 to 9.0.4 in the addOns devDependencies, which updates lerna's transitive tar dependency
  • Adds sharp@0.34.5 resolution to platform/docs/package.json to fix tar-fs vulnerabilities in sharp's native addon chain
  • Removes 4 previously-ignored CVE entries from the CircleCI security audit config, since these vulnerabilities are now resolved by the dependency updates
  • Lock files (yarn.lock, bun.lock, platform/docs/yarn.lock) are regenerated accordingly

The changes are limited to dependency resolution and CI configuration — no application code is modified.

Confidence Score: 4/5

  • This PR is safe to merge — it only modifies dependency versions and CI audit configuration with no application code changes.
  • Score of 4 reflects that this is a straightforward security dependency bump with no application code changes. The tar resolution and sharp bump are well-targeted. The only minor concern is the lerna 7→9 major version jump, which could theoretically affect build/dev tooling, but the lerna.json config is minimal and compatible with v9. CI tests should validate this.
  • The addOns/externals/devDependencies/package.json file has a major version bump for lerna (7→9) — verify CI builds and lerna-based scripts work correctly after this change.

Important Files Changed
Filename Overview
.circleci/config.yml Removed 4 previously-ignored CVE entries from the IGNORED_VULNS array, since the underlying vulnerabilities are now fixed by the dependency bumps. The empty array with surrounding loop scaffolding is harmless and clean.
addOns/externals/devDependencies/package.json Bumps lerna from 7.4.2 to 9.0.4 (major version jump). This is a dev-only dependency used for monorepo management. The lerna.json config uses basic fields compatible with v9.
package.json Adds tar@7.5.9 to the resolutions section to force all transitive tar dependencies to the patched version, fixing CVE-2026-26960.
platform/docs/package.json Adds sharp@0.34.5 to the docs-specific resolutions to fix tar-fs vulnerabilities in sharp's native addon dependencies.
platform/docs/yarn.lock Lock file regenerated to reflect the sharp@0.34.5 resolution. Adds platform-specific @img/sharp-* optional dependencies.
yarn.lock Large lock file update (~2768 additions/removals) reflecting lerna 7→9 upgrade and tar resolution. All tar ranges now resolve to 7.5.9. New lerna 9 transitive dependencies added (e.g., @inquirer/, @lerna/, nx).
bun.lock Bun lock file regenerated to reflect lerna 9.0.4 and tar 7.5.9 resolution changes, consistent with the yarn.lock updates.

Flowchart

flowchart TD
    A["CVE-2026-26960\n(tar vulnerability)"] --> B["Add tar@7.5.9\nto root resolutions"]
    A --> C["Bump lerna 7.4.2 → 9.0.4\n(updates transitive tar)"]
    D["tar-fs vulnerabilities\nin sharp"] --> E["Add sharp@0.34.5\nresolution in docs"]
    B --> F["yarn.lock / bun.lock\nregenerated"]
    C --> F
    E --> G["platform/docs/yarn.lock\nregenerated"]
    F --> H["Remove 4 ignored CVEs\nfrom CI audit config"]
    G --> H
    H --> I["CI security audit\npasses cleanly"]
Loading

Last reviewed commit: 452f1a8

@jbocce
fix(security): Bump tar to 7.5.9 and lerna to 9.0.4 to fix CVE-2026-2…
452f1a8 
…6960.

Bump sharp to 0.34.5 to fix tar-fs vulnerabilities.
@jbocce jbocce requested a review from wayfarer3130 February 18, 2026 18:26
greptile-apps[bot]
greptile-apps bot reviewed Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

wayfarer3130
wayfarer3130 approved these changes Feb 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@wayfarer3130 wayfarer3130 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks the same as the master branch update.

@wayfarer3130 wayfarer3130 merged commit c5c18f9 into OHIF:release/3.12 Feb 18, 2026
3 checks passed
@jbocce jbocce deleted the fix/tar-linear-advisory-release-3.12 branch February 27, 2026 23:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@wayfarer3130 wayfarer3130 wayfarer3130 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jbocce @wayfarer3130