Update tar dependency to 7.5.10 to fix GHSA-qffp-2rhf-9h96 vulnerability #4292
Description
Description
The current version of lerna (9.0.5) depends on tar@7.5.8, which is affected by a high-severity path traversal vulnerability (GHSA-qffp-2rhf-9h96 / CVE-2026-29786).
Vulnerability Details
- Affected versions: tar <= 7.5.9
- Fixed in: tar 7.5.10
- Severity: High
- Issue: Hardlink path traversal via drive-relative linkpath allows arbitrary file overwrite outside extraction directory
Current State
$ npm audit
# npm audit report
tar <=7.5.9
Severity: high
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
fix available via `npm audit fix --force`
Will install lerna@6.4.1, which is a breaking change
node_modules/tar
@lerna/create >=7.1.5
Depends on vulnerable versions of tar
node_modules/@lerna/create
lerna 6.3.1-beta.0 - 6.3.1-beta.4 || >=6.4.2-beta.0
Depends on vulnerable versions of @lerna/create
Depends on vulnerable versions of tar
node_modules/lerna
3 high severity vulnerabilities
Proposed Solution
Update the tar dependency from 7.5.8 to 7.5.10 (or later) in lerna's dependencies.
Additional Context
- Lerna 9.0.5 was released on March 3, 2026
- The changelog shows tar was updated from 7.5.7 to 7.5.8 in version 9.0.5
- tar@7.5.10 is available on npm and includes the security fix
References
GitHub Advisory: GHSA-qffp-2rhf-9h96
tar package: https://www.npmjs.com/package/tar