CVE-2026-24842 - dependency update request for node-tar

[hanurii]

GHSA-34x7-hfp2-rc4v

node-tar is currentyl 7.5.4, CVE patched in 7.5.7

[cclauss]

• CVE-2026-23950 - dependency update request for node-tar #3270
• Upgrade tar to 7.5.4 to address CVE-2026-23950 #3271

[daka1510]

My understanding is that this involves updating

node-gyp/package.json

Line 28 in 46d7576

"make-fetch-happen": "^15.0.0",

to ^20.0.0. This will then transitively update to the latest version of cacache. And the latest version of cacache no longer depends on (a vulnerable version of) tar (npm/cacache#314).

@cclauss the PR you linked to only updated a direct dependency. @hanurii do we share the same understanding that this would fix the issue?

[hanurii]

• CVE-2026-23950 - dependency update request for node-tar #3270
• Upgrade tar to 7.5.4 to address CVE-2026-23950 #3271

Sorry for the late reply.

@cclauss It looks like the PR you linked updates tar to version 7.5.4. To resolve the CVE I mentioned, we need to update to tar@7.5.7 or higher. So, we need to specify that minimum patch version in package.json.

[hanurii]

My understanding is that this involves updating

node-gyp/package.json

Line 28 in 46d7576

"make-fetch-happen": "^15.0.0",
to ^20.0.0. This will then transitively update to the latest version of cacache. And the latest version of cacache no longer depends on (a vulnerable version of) tar (npm/cacache#314).
@cclauss the PR you linked to only updated a direct dependency. @hanurii do we share the same understanding that this would fix the issue?

@daka1510 Thanks for the suggestion.

I am currently using packages like sass, playwright, and vite, and they all commonly depend on node-gyp. Given my dependency structure, updating the tar version within node-gyp directly is the most effective solution for me. This will allow me to subsequently request the maintainers of those packages (like sass or vite) to update their node-gyp dependency.

I hope this clarifies my intention. Thanks.