Skip to content

fix(security): remove unused semantic-release, pin serverless's tar >…#740

Open
sid88in wants to merge 1 commit into
masterfrom
fix/drop-semantic-release-tar-250
Open

fix(security): remove unused semantic-release, pin serverless's tar >…#740
sid88in wants to merge 1 commit into
masterfrom
fix/drop-semantic-release-tar-250

Conversation

@sid88in

@sid88in sid88in commented Jul 9, 2026

Copy link
Copy Markdown
Owner

fix(security): remove unused semantic-release, raise tar override floor to >=7.5.16

Addresses Dependabot alert 250 (decompress-style bundled-dependency case for tar).
Builds on top of #739 and #738.

Note on issue links: this PR intentionally uses no Fixes #N trailer. Dependabot alert
numbers and issue numbers are separate namespaces — Fixes #250 / Fixes #188 would link
to the unrelated issues "additionalAuthenticationProviders not working" and
"CreateFunction Permission". The advisory is referenced by GHSA ID instead.

Summary

Two changes to package.json:

  1. Remove semantic-release from devDependencies — it is entirely unused, and it is the only path to the vulnerable tar bundled inside the npm package.
  2. Raise the overrides.serverless.tar floor from ^7.5.8 (set in fix(security): force serverless's tar to >=7.5.8 (CVE-2026-26960) #739) to ^7.5.16.
   "prettier": "^2.8.0",
-  "semantic-release": "^25.0.3",
   "serverless": "^3.25.1",

   "serverless": {
-    "tar": "^7.5.8"
+    "tar": "^7.5.16"
   }

The advisory

CVE-2026-53655 / GHSA-vmf3-w455-68vh — Moderate (6.9). Affected tar <= 7.5.15; patched 7.5.16. Tagged Development dependency.

node-tar applies a PAX size= record to intermediary GNU long-name (L) / long-link (K) headers. Per POSIX pax, a PAX extended header describes the next file entry, not the intervening extension headers. Letting the override apply to an L/K header desynchronizes node-tar's stream cursor relative to GNU tar, libarchive/bsdtar, and Python tarfile.

The result is a tar parser interpretation differential (CWE-436): one crafted archive yields a different member list under node-tar than under reference tools, so a file can be hidden from a scanner that parses with one library while still landing on disk via another.

Why #739's override cannot fix this

After #739, the tree still contains two tar copies:

version location source
7.5.19 node_modules/tar serverless — already overridden by #739
7.5.15 node_modules/npm/node_modules/tar bundled inside npm

The remaining copy is reached via:

devDependencies → semantic-release@25.0.3 → @semantic-release/npm@13.1.5 → npm@11.16.0 → (bundled) tar@7.5.15

tar is one of npm's 65 bundleDependencies — it ships pre-installed inside npm's own tarball. npm overrides cannot rewrite bundled dependencies. Verified empirically: adding a global "overrides": { "tar": "^7.5.16" } leaves node_modules/npm/node_modules/tar at 7.5.15 and npm audit still reports GHSA-vmf3-w455-68vh. An override only affects the hoisted top-level copy.

So the vulnerable tar can only be removed by removing whatever pulls npm in.

Why removing semantic-release is the right fix

semantic-release is not used by this repository:

  • No .releaserc / .releaserc.json / release.config.js.
  • No "release" key in package.json.
  • Not referenced in any GitHub Actions workflow.
  • Not referenced in any npm script.
  • No other reference anywhere in the repo.

Releases are tag-driven via .github/workflows/release.yml: pushing a v*.*.* tag runs test/lint/build, sets the version from the tag name, and publishes. semantic-release is leftover from an earlier release approach — the same phantom-dependency pattern as @serverless/utils in #738.

Removing it drops npm and its bundled tar (−399 packages).

Why also raise the override floor

#739 set ^7.5.8, which permits 7.5.15 — precisely the version this advisory affects. npm resolves to the highest satisfying version (7.5.19) and the lockfile pins it, so this is not exploitable today; raising the floor to ^7.5.16 simply makes the intent explicit and prevents a future resolution into the vulnerable range. Resolves to tar@7.5.19 either way.

Result

Verified against current master (b48496b, i.e. with #738 and #739 merged):

To apply

npm pkg delete devDependencies.semantic-release
npm pkg set 'overrides.serverless.tar=^7.5.16'
npm install     # regenerates package-lock.json

npm run build && npm run lint && npm test
npm ls tar --all   # expect a single tar@7.5.19; no bundled 7.5.15
npm audit          # no tar findings

Notes

  • Large lockfile diff is expected (≈8,400 deletions): removing semantic-release prunes ~399 transitive packages. No runtime dependency is touched; package.json changes by two lines.
  • If semantic-release is ever wanted back, reintroduce it with real configuration wired into the release workflow, and choose a line whose @semantic-release/npm bundles npm with tar >= 7.5.16.
  • Remaining npm audit findings (decompress, tmp, js-yaml, …) are dev-only advisories from serverless / @serverless/test, tracked separately.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR removes the semantic-release devDependency from package.json and updates the pinned tar override from 7.5.8 to 7.5.16.

Changes

Dependency Updates

Layer / File(s) Summary
Update devDependencies and overrides
package.json
Removes semantic-release from devDependencies and bumps the tar override version from 7.5.8 to 7.5.16.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested reviewers: AlexHladin

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR only removes semantic-release and pins tar, so it does not address #250 or #188. Implement the Cognito/OpenID additionalAuthenticationProviders fix and the AppSync CreateFunction permission change, or retarget the PR to the correct issue.
Out of Scope Changes check ⚠️ Warning The dependency cleanup and tar override are unrelated to the linked issue objectives. Remove the unrelated dependency changes or add the missing issue-related code for #250 and #188.
✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main changes: removing semantic-release and pinning tar for security.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/drop-semantic-release-tar-250

Comment @coderabbitai help to get the list of available commands.

@sid88in sid88in self-assigned this Jul 9, 2026
@sid88in sid88in requested a review from AlexHladin July 9, 2026 01:57
…=7.5.16

The tar flagged by Dependabot alert 250 (CVE-2026-53655 / GHSA-vmf3-w455-68vh,
tar <= 7.5.15) is bundled inside the npm package, reached via
semantic-release -> @semantic-release/npm -> npm. npm overrides cannot rewrite
bundled dependencies, so the scoped override from #739 cannot reach it.

semantic-release is unused: no .releaserc, no release key, not referenced in any
workflow or npm script. Releases are tag-driven via release.yml. Removing it
drops npm and its bundled tar (-399 packages).

Also raises #739's override floor from ^7.5.8 to ^7.5.16, since ^7.5.8 permits
7.5.15 -- the version this advisory affects. Resolves to tar@7.5.19 either way.

Single tar@7.5.19 remains; no tar advisories. build, lint and 362 tests pass.

Refs: GHSA-vmf3-w455-68vh
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants