fix: update tar to 7.5.16 to resolve CVE-2026-53655#251
Conversation
Adds npm override to pin tar >= 7.5.16, patching the PAX size override file-smuggling vulnerability (GHSA-vmf3-w455-68vh). Co-Authored-By: Oz <oz-agent@warp.dev>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
I'm starting a first review of this pull request. You can follow along in the session on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview
This PR updates the transitive tar dependency from 7.5.11 to 7.5.16 and adds an npm override so resolution stays on a patched 7.x release. The lockfile reflects the expected resolved package and integrity for 7.5.16.
Concerns
- No blocking correctness, security, or spec-alignment concerns found in the attached diff.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
# Conflicts: # package.json
hongyi-chen
left a comment
hongyi-chen
left a comment
There was a problem hiding this comment.
Verified locally: rebased onto latest main, resolved package.json overrides, regenerated lockfile (tar resolves to 7.5.16, resolving CVE-2026-53655). Full npm run build passes (340 pages).
3 participants
Pins
tarto>=7.5.16via an npm override to resolve CVE-2026-53655.Advisory
What changed
Added
"tar": "^7.5.16"to theoverridesfield inpackage.json. This forces npm to resolve all transitivetardependencies to >=7.5.16, which contains the fix for the PAX size override file-smuggling vulnerability.The
tarpackage (7.5.11 → 7.5.16) is a transitive dependency pulled in by@mapbox/node-pre-gyp(viasharp).Verification
npm auditno longer flagstarafter applying the override and runningnpm install.