Skip to content

fix: upgrade to tar@7.5.6 #1228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
erickzhao merged 3 commits into from
Jan 23, 2026
Merged

fix: upgrade to tar@7.5.6 #1228

erickzhao merged 3 commits into from
Jan 23, 2026

Conversation

@erickzhao
Copy link
Member

@erickzhao erickzhao commented Jan 21, 2026

Addresses https://nvd.nist.gov/vuln/detail/CVE-2026-23745. Note that this wasn't backported to tar@6 so this PR has a major version bump to tar@7.

I took #1226 and regenerated the lockfile changes myself after running git checkout main yarn.lock. Everything was squash rebased into a single commit under my signature.

Note that this required me to temporarily bypass the npmMinimalAgeGate setting.

AviVahl and others added 2 commits January 21, 2026 10:11
@AviVahl @erickzhao
security(deps): tar@7.5.3
65a524e 
- upgrades tar to latest release to resolve security vulnerability
- changed to namespace import to match new tar@7 export style
- removed @types/tar, as types are built-in now

https://github.com/isaacs/node-tar/commits/v7.5.3

chore(deps): tar@7.5.4
https://github.com/isaacs/node-tar/commits/v7.5.4

revert lockfile changes

update to latest

Co-authored-by: Avi Vahl <avi@vahl.co.il>
@erickzhao
reup glob
ea4d847
@erickzhao erickzhao requested a review from a team as a code owner January 21, 2026 18:21
@erickzhao erickzhao changed the title security(deps): tar@7.5.6 fix: upgrade to tar@7.5.6 Jan 21, 2026
@erickzhao erickzhao mentioned this pull request Jan 21, 2026
Closed
@socket-security
Copy link

socket-security bot commented Jan 21, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedtar@​7.5.69710010093100

View full report

@erickzhao erickzhao marked this pull request as draft January 21, 2026 19:45
@daanbouwman19 daanbouwman19 mentioned this pull request Jan 22, 2026
Closed
AlimovSV
AlimovSV reviewed Jan 22, 2026
View reviewed changes
yarn.lock Outdated
bin:
mkdirp: bin/cmd.js
checksum: 10c0/46ea0f3ffa8bc6a5bc0c7081ffc3907777f0ed6516888d40a518c5111f8366d97d2678911ad1a6882bf592fa9de6c784fea32e1687bb94e1f4944170af48a5cf
"minizlib@npm:^3.1.0":
Copy link

@AlimovSV AlimovSV Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now we have two minizlib v3.0.2 & v3.1.0. Could it be deduplicated?

Copy link
Member Author

@erickzhao erickzhao Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point @AlimovSV

Copy link
Member Author

@erickzhao erickzhao Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dc55bef

@erickzhao erickzhao marked this pull request as ready for review January 23, 2026 00:32
@erickzhao erickzhao merged commit c8dad87 into main Jan 23, 2026
6 checks passed
@erickzhao erickzhao deleted the AviVahl/main branch January 23, 2026 00:33
@AlimovSV
Copy link

AlimovSV commented Jan 23, 2026

Something went wrong and the release was not produced

@erickzhao
Copy link
Member Author

erickzhao commented Jan 23, 2026

@AlimovSV yeah, there needs to be some fix with our GitHub infrastructure permissions. Please hold!

@mmaietta mmaietta mentioned this pull request Jan 23, 2026
Closed
@nyoma-diamond
Copy link

nyoma-diamond commented Jan 27, 2026
edited
Loading

Bump where we're at with publishing the release? It seems this is holding up quite a few downstream consumers; particularly electron-userland/electron-builder#9518 (and potentially electron/llm?). Are we waiting on something else to be merged or is it just the GitHub infrastructure issue?

@electron-npm-package-publisher
Copy link

electron-npm-package-publisher bot commented Jan 27, 2026

🎉 This PR is included in version 4.0.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

@dsanders11
Copy link
Member

dsanders11 commented Jan 27, 2026

@nyoma-diamond, the release was being blocked by some overzealous security rules in our GitHub infrastructure - we've resolved that issue and the v4.0.3 release of @electron/rebuild should be published now. 👍

@dsanders11 dsanders11 mentioned this pull request Jan 28, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmaietta mmaietta mmaietta approved these changes

@dsanders11 dsanders11 dsanders11 approved these changes

@erikian erikian erikian approved these changes

+1 more reviewer

@AlimovSV AlimovSV AlimovSV left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@erickzhao @AlimovSV @nyoma-diamond @dsanders11 @mmaietta @erikian @AviVahl