fix: Upgrade tar package to ^7.5.7 - CVE-2026-23745 - HIGH#933
Merged
fix: Upgrade tar package to ^7.5.7 - CVE-2026-23745 - HIGH#933
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request upgrades the tar package from version ^7.4.0 to ^7.5.3 to address a security vulnerability referenced as CVE-2026-23745.
Changes:
- Upgrades tar package to version 7.5.3
- Upgrades minizlib dependency from 3.0.1 to 3.1.0
- Removes several transitive dependencies (jackspeak, @isaacs/cliui, mkdirp, rimraf, and others) that are no longer required
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| package.json | Updates tar dependency version from ^7.4.0 to ^7.5.3 |
| package-lock.json | Updates tar to 7.5.3, minizlib to 3.1.0, removes obsolete transitive dependencies, and adjusts peer dependency markers |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Collaborator
Author
|
% aws-sdk >=2.0.1 1 low severity vulnerability https://www.npmjs.com/package/aws-sdk -->
https://github.com/aws/aws-sdk-js |
|
@cclauss |
tobias-jarvelov
added a commit
to mullvad/mullvadvpn-app
that referenced
this pull request
Jan 23, 2026
We have investigated the uses of the tar dependency and found two use cases of it in our code base's supply chain: - electron-builder - grpc-tools (from their use of @mapbox-node-pre-gyp) Currently the tar dependency update has not traversed all through the supply chain in the packages we depend on. electron-builder and their supply chain was very fast to bump the dependency, but it seems like @mapbox/node-pre-gyp do not currently have an update available, currently. A draft PR does exist though. Link to draft PR for @mapbox/node-pre-gyp tar upgrade: mapbox/node-pre-gyp#933 When this has been patched we should update immediately. --- Extended reasoning on ignoring the vulnerable dependency: The vulnerable tar dependency does not handle arbitrary tar files, as it is only used by grpc-tools. Unless the specific tar file, corresponding to the version of grpc-tools we depend on, is compromised then an attack is not possible. The tar file is hosted on Github's package repository and for an attack to be possibe either the grpc-tools team or Github's package repostitory must be compromised, which currently seems unlikely. However, even if unlikely we still want to ensure that we can protect against this attack and if a patch hasn't been made available at the end of this ignore period we will want to investigate other forms of mitigation.
tobias-jarvelov
added a commit
to mullvad/mullvadvpn-app
that referenced
this pull request
Jan 26, 2026
We have investigated the uses of the tar dependency and found two use cases of it in our code base's supply chain: - electron-builder - grpc-tools (from their use of @mapbox-node-pre-gyp) Currently the tar dependency update has not traversed all through the supply chain in the packages we depend on. electron-builder and their supply chain was very fast to bump the dependency, but it seems like @mapbox/node-pre-gyp do not currently have an update available, currently. A draft PR does exist though. Link to draft PR for @mapbox/node-pre-gyp tar upgrade: mapbox/node-pre-gyp#933 When this has been patched we should update immediately. --- Extended reasoning on ignoring the vulnerable dependency: The vulnerable tar dependency does not handle arbitrary tar files, as it is only used by grpc-tools. Unless the specific tar file, corresponding to the version of grpc-tools we depend on, is compromised then an attack is not possible. The tar file is hosted on Github's package repository and for an attack to be possibe either the grpc-tools team or Github's package repostitory must be compromised, which currently seems unlikely. However, even if unlikely we still want to ensure that we can protect against this attack and if a patch hasn't been made available at the end of this ignore period we will want to investigate other forms of mitigation.
|
Another one which recommends |
cclauss
force-pushed
the
upgrade-tar-package
branch
from
3e905fd to
e22ef0f
Compare
cclauss
changed the title
Collaborator
Author
Collaborator
|
I'm not exactly sure why this was closed and probably would have merged it personally |
* update AWS SDK from v2 to v3 * npm audit fix Note that eslint-config-mapbox has to be pinned due to mapbox/eslint-plugin-mapbox#3. * Allow npm audit to fail without breaking CI --------- Co-authored-by: Christian Clauss <cclauss@me.com>
benmccann
approved these changes
Feb 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes: #932
Blocked by: #719