Skip to content

chore: pin tar to 7.5.4 #27161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pedroccastro merged 2 commits into from
Jan 22, 2026
Merged

chore: pin tar to 7.5.4 #27161

pedroccastro merged 2 commits into from
Jan 22, 2026

Conversation

@pedroccastro
Copy link
Contributor

@pedroccastro pedroccastro commented Jan 22, 2026
edited
Loading

What does this PR do?

Resolves Dependabot alert 511 by pinning tar to 7.5.4 via resolutions.

Changes

Package From To
tar 7.5.2 7.5.4

Security

Fixes race condition in node-tar on macOS APFS via Unicode ligature collisions.
Low risk (macOS-only, requires malicious tar input), but updating for compliance.

Notes

  • Transitive dependency via trigger.dev
  • Vulnerability only affects macOS APFS (production runs on Linux)
  • Low real-world risk but good to patch for compliance

Mandatory Tasks

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

@pedroccastro pedroccastro marked this pull request as ready for review January 22, 2026 18:24
@pedroccastro pedroccastro requested a review from a team as a code owner January 22, 2026 18:24
@graphite-app graphite-app bot added core area: core, team members only foundation labels Jan 22, 2026
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 22, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@pedroccastro pedroccastro changed the title chore: update tar to 7.5.4 chore: pin tar to 7.5.4 Jan 22, 2026
@pedroccastro pedroccastro merged commit 2542e1e into main Jan 22, 2026
85 of 89 checks passed
@pedroccastro pedroccastro deleted the chore/update-tar branch January 22, 2026 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@volnei volnei volnei approved these changes

Assignees

No one assigned

Labels

core area: core, team members only foundation ready-for-e2e size/M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pedroccastro @volnei