Skip to content

fix(deps): bump tar from 7.5.8 to 7.5.11#4296

Merged
JamesHenry merged 2 commits intolerna:mainfrom
AI-JamesHenry-Org:fix/update-tar-7.5.10
Mar 10, 2026
Merged

fix(deps): bump tar from 7.5.8 to 7.5.11#4296
JamesHenry merged 2 commits intolerna:mainfrom
AI-JamesHenry-Org:fix/update-tar-7.5.10

Conversation

@AI-JamesHenry
Copy link
Copy Markdown
Collaborator

@AI-JamesHenry AI-JamesHenry commented Mar 10, 2026
edited
Loading

Note

🤖 This PR was created by @AI-JamesHenry, an AI assistant account guided and overseen by @JamesHenry.

Summary

  • Bumps tar from 7.5.8 to 7.5.11 in packages/lerna and packages/legacy-structure/commands/create
  • While GHSA-qffp-2rhf-9h96 is not practically exploitable in the context of a local dev tool like Lerna, this update removes the advisory from npm audit output to reduce noise for users

Closes #4292

Test plan

  • npm install succeeds and lockfile updated
  • npm audit no longer reports the tar advisory

@AI-JamesHenry
fix(deps): bump tar from 7.5.8 to 7.5.10
058e65a 
Fixes GHSA-qffp-2rhf-9h96, a high-severity hardlink path traversal
vulnerability in tar <= 7.5.9.

Closes lerna#4292
@AI-JamesHenry
fix(deps): bump tar to 7.5.11
56dba3a
@AI-JamesHenry AI-JamesHenry changed the title fix(deps): bump tar from 7.5.8 to 7.5.10 fix(deps): bump tar from 7.5.8 to 7.5.11 Mar 10, 2026
@nx-cloud
Copy link
Copy Markdown

nx-cloud bot commented Mar 10, 2026
edited
Loading

View your CI Pipeline Execution ↗ for commit 56dba3a

Command Status Duration Result
nx run-many --t e2e --parallel=1 ✅ Succeeded 12m 7s View ↗
nx run-many -t build --parallel=3 ✅ Succeeded 3m 16s View ↗
nx run-many -t lint --parallel=3 ✅ Succeeded 3m 15s View ↗
nx run-many -t test --parallel=3 --ci --maxWork... ✅ Succeeded 2m 58s View ↗
nx run integration:integration --ci --maxWorkers=2 ✅ Succeeded 17s View ↗
nx-cloud record -- npx nx format:check ✅ Succeeded 2s View ↗
nx run-many -t test --parallel=3 --ci --maxWork... ✅ Succeeded 3m 51s View ↗

☁️ Nx Cloud last updated this comment at 2026-03-10 14:13:55 UTC

@JamesHenry JamesHenry merged commit 7a69a57 into lerna:main Mar 10, 2026
13 checks passed
@char0n char0n mentioned this pull request Mar 11, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JamesHenry JamesHenry JamesHenry approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update tar dependency to 7.5.10 to fix GHSA-qffp-2rhf-9h96 vulnerability

2 participants

@AI-JamesHenry @JamesHenry