From 706f4a6cae3d0b55298ef84cdc1c0194b0af6895 Mon Sep 17 00:00:00 2001
From: Oz <oz-agent@warp.dev>
Date: Wed, 24 Jun 2026 13:05:16 +0000
Subject: [PATCH] fix: update tar to 7.5.16 to resolve CVE-2026-53655

Adds npm override to pin tar >= 7.5.16, patching the PAX size override
file-smuggling vulnerability (GHSA-vmf3-w455-68vh).

Co-Authored-By: Oz <oz-agent@warp.dev>
---
 package-lock.json | 6 +++---
 package.json      | 3 ++-
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 29640301..8128e1af 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9079,9 +9079,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "7.5.11",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz",
-      "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==",
+      "version": "7.5.16",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz",
+      "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==",
       "license": "BlueOak-1.0.0",
       "dependencies": {
         "@isaacs/fs-minipass": "^4.0.0",
diff --git a/package.json b/package.json
index 0eb01ce1..eb4b34e7 100644
--- a/package.json
+++ b/package.json
@@ -47,7 +47,8 @@
   "overrides": {
     "path-to-regexp": "^6.3.0",
     "esbuild": "^0.28.1",
-    "vite": "7.3.5"
+    "vite": "7.3.5",
+    "tar": "^7.5.16"
   },
   "devDependencies": {
     "@astrojs/check": "^0.9.8",