Skip to content

chore: bump tar to 7.5.11 to address GHSA-9ppj-qmqm-q256#2355

Merged
dividedmind merged 1 commit intomainfrom
chore/bump-tar
Mar 16, 2026
Merged

chore: bump tar to 7.5.11 to address GHSA-9ppj-qmqm-q256#2355
dividedmind merged 1 commit intomainfrom
chore/bump-tar

Conversation

@dividedmind
Copy link
Collaborator

@dividedmind dividedmind commented Mar 12, 2026

Added a resolution for tar version 7.5.11 in the root package.json to mitigate security vulnerabilities. This affects all transitive dependencies including node-gyp, cacache, and npm.

@dividedmind
chore: bump tar to 7.5.11 to address GHSA-9ppj-qmqm-q256
9048c66 
Added a resolution for tar version 7.5.11 in the root package.json to
mitigate security vulnerabilities. This affects all transitive
dependencies including node-gyp, cacache, and npm.
@dividedmind dividedmind requested a review from Copilot March 12, 2026 13:01
@dividedmind dividedmind self-assigned this Mar 12, 2026
Copilot AI reviewed Mar 12, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates dependency resolution to pin tar to a newer version and refreshes the Yarn lockfile accordingly, likely to address a transitive dependency/security concern within the monorepo’s Node tooling.

Changes:

  • Add a root-level Yarn resolutions override to force tar to 7.5.11.
  • Update yarn.lock to reflect the new tar version and its updated transitive dependency graph (e.g., @isaacs/fs-minipass, minipass, minizlib, chownr, yallist).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds a resolutions entry to pin tar to 7.5.11.
yarn.lock Lockfile update reflecting tar@7.5.11 and related transitive dependency shifts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@hleb-rubanau hleb-rubanau mentioned this pull request Mar 13, 2026
Open
@dividedmind dividedmind merged commit c001f7c into main Mar 16, 2026
37 of 38 checks passed
@dividedmind dividedmind deleted the chore/bump-tar branch March 16, 2026 17:27
@dividedmind dividedmind mentioned this pull request Mar 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@hleb-rubanau hleb-rubanau hleb-rubanau approved these changes

@kgilpin kgilpin Awaiting requested review from kgilpin

Assignees

@dividedmind dividedmind

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dividedmind @hleb-rubanau