From 4a77a01e5dcf577fee7ad64f1fb096cf8b7f1f21 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Sun, 21 Jun 2026 13:01:08 +0000 Subject: [PATCH] chore(deps): bump tar to >=7.5.16 (GHSA-vmf3-w455-68vh) - Bump direct dependency tar in packages/mongodb-downloader from ^7.5.11 to ^7.5.16 - Add overrides.tar >= 7.5.16 in root package.json to force all transitive consumers (lerna pins tar@7.5.11 exactly) to use the patched version Fixes Dependabot alert #279 (CVE-2026-53655 / GHSA-vmf3-w455-68vh). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- package-lock.json | 24 ++++++++++++------------ package.json | 3 +++ packages/mongodb-downloader/package.json | 2 +- 3 files changed, 16 insertions(+), 13 deletions(-) diff --git a/package-lock.json b/package-lock.json index 58fe65c9..6684dbe7 100644 --- a/package-lock.json +++ b/package-lock.json @@ -26528,9 +26528,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "license": "BlueOak-1.0.0", "dependencies": { "@isaacs/fs-minipass": "^4.0.0", @@ -28886,7 +28886,7 @@ "mongodb-download-url": "^1.8.13", "node-fetch": "^2.7.0", "proper-lockfile": "^4.1.2", - "tar": "^7.5.11" + "tar": "^7.5.16" }, "devDependencies": { "@mongodb-js/eslint-config-devtools": "^0.11.7", @@ -36184,7 +36184,7 @@ "proper-lockfile": "^4.1.2", "sinon": "^9.2.3", "sinon-chai": "^4.0.1", - "tar": "^7.5.11", + "tar": ">=7.5.16", "typescript": "^5.9.3" }, "dependencies": { @@ -38018,7 +38018,7 @@ "nopt": "^9.0.0", "proc-log": "^6.0.0", "semver": "^7.3.5", - "tar": "^7.5.4", + "tar": ">=7.5.16", "tinyglobby": "^0.2.12", "which": "^6.0.0" } @@ -46462,7 +46462,7 @@ "slash": "3.0.0", "ssri": "12.0.0", "string-width": "^4.2.3", - "tar": "7.5.11", + "tar": ">=7.5.16", "through": "2.3.8", "tinyglobby": "0.2.12", "typescript": ">=3 < 6", @@ -46779,7 +46779,7 @@ "promise-retry": "^2.0.1", "sigstore": "^4.0.0", "ssri": "^12.0.0", - "tar": "^7.4.3" + "tar": ">=7.5.16" }, "dependencies": { "@npmcli/git": { @@ -49321,7 +49321,7 @@ "promise-retry": "^2.0.1", "sigstore": "^4.0.0", "ssri": "^13.0.0", - "tar": "^7.4.3" + "tar": ">=7.5.16" }, "dependencies": { "make-fetch-happen": { @@ -51747,9 +51747,9 @@ "dev": true }, "tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "requires": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", diff --git a/package.json b/package.json index 2edbe4b8..da4b9672 100644 --- a/package.json +++ b/package.json @@ -51,5 +51,8 @@ "depcheck": "^1.4.7", "husky": "^9.1.7", "lerna": "^9.0.7" + }, + "overrides": { + "tar": ">=7.5.16" } } diff --git a/packages/mongodb-downloader/package.json b/packages/mongodb-downloader/package.json index 4e3d15bd..be258ef5 100644 --- a/packages/mongodb-downloader/package.json +++ b/packages/mongodb-downloader/package.json @@ -53,7 +53,7 @@ }, "dependencies": { "debug": "^4.4.0", - "tar": "^7.5.11", + "tar": "^7.5.16", "decompress": "^4.2.1", "mongodb-download-url": "^1.8.13", "node-fetch": "^2.7.0",