Skip to content

Fix tar security vulnerability by upgrading to 7.5.3#1496

Merged
yifancong merged 2 commits intomainfrom
copilot/fix-tar-dependency-security-vulnerability
Jan 21, 2026
Merged

Fix tar security vulnerability by upgrading to 7.5.3#1496
yifancong merged 2 commits intomainfrom
copilot/fix-tar-dependency-security-vulnerability

Conversation

Copy link
Contributor

Copilot AI commented Jan 19, 2026
edited
Loading

Problem

tar 6.2.1 contains vulnerabilities allowing arbitrary file overwrite and symlink poisoning attacks through insufficient path sanitization.

Changes

  • Added tar version override to pnpm.overrides forcing all transitive dependencies to use 7.5.3
  • Updated lockfile reflecting secure tar version and its updated dependencies (chownr, minipass, minizlib)

Context

tar is a transitive dependency via @mapbox/node-pre-gyp. Version 7.5.3 includes proper path sanitization preventing:

  • Directory traversal attacks via ../ sequences
  • Symlink-based file overwrites outside extraction target
Original prompt

Fix security vulnerability in tar dependency by addressing Arbitrary File Overwrite and Symlink Poisoning issues caused by insufficient path sanitization.

This pull request was created from Copilot chat.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@netlify
Copy link

netlify bot commented Jan 19, 2026
edited
Loading

Deploy Preview for rsdoctor ready!

Name Link
🔨 Latest commit 2b5bb13
🔍 Latest deploy log https://app.netlify.com/projects/rsdoctor/deploys/696e137f576c0d00084e202d
😎 Deploy Preview https://deploy-preview-1496--rsdoctor.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@yifancong yifancong marked this pull request as ready for review January 19, 2026 11:20
Copilot AI review requested due to automatic review settings January 19, 2026 11:20
Copilot AI reviewed Jan 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@yifancong
Update tar dependency to 7.5.3 to fix security vulnerability
2b5bb13 
Co-authored-by: yifancong <18437716+yifancong@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix security vulnerability in tar dependency Fix tar security vulnerability by upgrading to 7.5.3 Jan 19, 2026
Copilot AI requested a review from yifancong January 19, 2026 11:24
@yifancong yifancong requested review from 9aoy and fi3ework January 21, 2026 06:51
@yifancong yifancong merged commit 34175a4 into main Jan 21, 2026
10 checks passed
@yifancong yifancong deleted the copilot/fix-tar-dependency-security-vulnerability branch January 21, 2026 07:07
@yifancong yifancong mentioned this pull request Jan 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@fi3ework fi3ework fi3ework approved these changes

@9aoy 9aoy 9aoy approved these changes

@yifancong yifancong Awaiting requested review from yifancong

Assignees

@yifancong yifancong

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@fi3ework @9aoy @yifancong