Skip to content

Upgrade tar to 7.5.9 to fix CVE#7364

Merged
DennisOSRM merged 4 commits intomasterfrom
copilot/upgrade-tar-dependency
Feb 19, 2026
Merged

Upgrade tar to 7.5.9 to fix CVE#7364
DennisOSRM merged 4 commits intomasterfrom
copilot/upgrade-tar-dependency

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 19, 2026
edited
Loading

Addresses HIGH severity vulnerability (CVSS 7.1) in tar < 7.5.8: arbitrary file read/write via hardlink target escape through symlink chain (GHSA-83g3-92jg-28cx).

Changes

  • Upgraded transitive dependency tar from 7.5.7 to 7.5.9 via @mapbox/node-pre-gyp
  • Updated package-lock.json (version, resolved URL, integrity hash)
  • Added CHANGELOG.md entry in the Build section documenting the security fix
Original prompt

Reference: https://github.com/Project-OSRM/osrm-backend/actions/runs/22180102753/job/64138876317#step:6:1

Upgrade the tar dependency

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@DennisOSRM
Upgrade tar dependency from 7.5.7 to 7.5.9 to fix security vulnerability
a237d04 
Co-authored-by: DennisOSRM <1067895+DennisOSRM@users.noreply.github.com>
Copilot AI changed the title [WIP] Upgrade tar dependency to latest version Upgrade tar to 7.5.9 to fix CVE Feb 19, 2026
Copilot AI requested a review from DennisOSRM February 19, 2026 11:40
@TheMarex TheMarex marked this pull request as ready for review February 19, 2026 12:47
@DennisOSRM
Copy link
Copy Markdown
Collaborator

DennisOSRM commented Feb 19, 2026

@copilot add a line to CHANGELOG.md for this change

@DennisOSRM
Add CHANGELOG.md entry for tar dependency upgrade
9a9fb98 
Co-authored-by: DennisOSRM <1067895+DennisOSRM@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Feb 19, 2026

@copilot add a line to CHANGELOG.md for this change

Added to CHANGELOG.md in the Build section (commit 9a9fb98)

Copilot AI requested a review from DennisOSRM February 19, 2026 14:06
@DennisOSRM DennisOSRM merged commit 80564bb into master Feb 19, 2026
19 checks passed
@DennisOSRM DennisOSRM deleted the copilot/upgrade-tar-dependency branch February 19, 2026 16:12
MarcelloPerathoner pushed a commit to MarcelloPerathoner/osrm-backend that referenced this pull request Feb 24, 2026
@MarcelloPerathoner
Upgrade tar to 7.5.9 to fix CVE (Project-OSRM#7364)
5e672b9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheMarex TheMarex TheMarex approved these changes

@DennisOSRM DennisOSRM Awaiting requested review from DennisOSRM

Assignees

@DennisOSRM DennisOSRM

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DennisOSRM @TheMarex