Skip to content

fix(security): upgrade tar to 7.5.3 for GHSA-8qq5-rm4j-mr97#298

Merged
Artmann merged 1 commit intomainfrom
upgrade-tar
Jan 19, 2026
Merged

fix(security): upgrade tar to 7.5.3 for GHSA-8qq5-rm4j-mr97#298
Artmann merged 1 commit intomainfrom
upgrade-tar

Conversation

@Artmann
Copy link
Contributor

@Artmann Artmann commented Jan 19, 2026
edited by coderabbitai bot
Loading

Adds npm override to force tar@7.5.3 across all dependencies to fix path sanitization vulnerability (CVE-2026-23745). Also adds third-party license notice for Blue Oak Model License 1.0.0.

Summary by CodeRabbit

  • Documentation

    • Added a "Third-party licenses" section to the README detailing notable project licenses.

  • Chores

    • Updated dependency override configuration in package management.

✏️ Tip: You can customize this high-level summary in your review settings.

@Artmann
fix(security): upgrade tar to 7.5.3 for GHSA-8qq5-rm4j-mr97
99e9ae8 
Adds npm override to force tar@7.5.3 across all dependencies to fix
path sanitization vulnerability (CVE-2026-23745). Also adds third-party
license notice for Blue Oak Model License 1.0.0.
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Jan 19, 2026
edited
Loading

📝 Walkthrough

Walkthrough

This pull request adds documentation and adjusts dependency overrides. The README gains a "Third-party licenses" section documenting tar's Blue Oak Model License 1.0.0. In package.json, a new override entry for tar is introduced, and the existing @mermaid-js/layout-elk override is updated with corrected syntax including a trailing comma. These changes involve no modifications to runtime behavior or public interfaces.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title clearly and concisely identifies the main change: a security upgrade of tar to address a specific vulnerability (GHSA-8qq5-rm4j-mr97).
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)
  • CVE-2026: Entity not found: Issue - Could not find referenced Issue.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Jan 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0%. Comparing base (9d21508) to head (99e9ae8).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@     Coverage Diff     @@
##   main   #298   +/-   ##
===========================
===========================
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Artmann Artmann marked this pull request as ready for review January 19, 2026 14:26
@Artmann Artmann requested a review from a team as a code owner January 19, 2026 14:26
@Artmann Artmann merged commit d74e397 into main Jan 19, 2026
13 checks passed
@Artmann Artmann deleted the upgrade-tar branch January 19, 2026 14:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dinohamzic dinohamzic dinohamzic approved these changes

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Artmann @dinohamzic