Skip to content

fix: update simple-git and tar to address security vulnerabilities#772

Merged
BYK merged 1 commit intomasterfrom
fix/security-dep-updates
Mar 11, 2026
Merged

fix: update simple-git and tar to address security vulnerabilities#772
BYK merged 1 commit intomasterfrom
fix/security-dep-updates

Conversation

@BYK
Copy link
Member

@BYK BYK commented Mar 11, 2026

Security Dependency Updates

Addresses open Dependabot alerts by updating vulnerable direct dependencies:

  • simple-git: 3.30.0 → 3.33.0 — fixes CVE-2026-28292 (CRITICAL, CVSS 9.8). RCE via case-insensitive protocol.allow bypass in blockUnsafeOperationsPlugin.
  • tar: 7.5.10 → 7.5.11 — fixes CVE-2026-29786 (HIGH, CVSS 8.2). Hardlink path traversal via drive-relative linkpath.

Dismissed alert

Alert #119 (@tootallnate/once, LOW severity) was dismissed as tolerable risk. The fix requires a major version bump (v2 → v3) but is blocked upstream: teeny-request pins http-proxy-agent@^5 which hard-requires @tootallnate/once@2. The vulnerability requires AbortSignal usage patterns not present in Craft, and @google-cloud/storage is a devDependency only.

Verification

  • ✅ Build passes
  • ✅ All tests pass (6 pre-existing e2e failures due to missing EDITOR env var — unrelated)

@BYK
fix: update simple-git and tar to address security vulnerabilities
93ab2f0 
- simple-git: 3.30.0 → 3.33.0 (fixes CVE-2026-28292, CRITICAL CVSS 9.8)
  RCE via case-insensitive protocol.allow bypass in blockUnsafeOperationsPlugin
- tar: 7.5.10 → 7.5.11 (fixes CVE-2026-29786, HIGH CVSS 8.2)
  Hardlink path traversal via drive-relative linkpath

Also dismissed Dependabot alert #119 (@tootallnate/once, LOW severity)
as tolerable risk — blocked upstream by teeny-request pinning
http-proxy-agent@^5, and the vulnerability requires AbortSignal usage
patterns not present in Craft.
@BYK BYK marked this pull request as ready for review March 11, 2026 15:41
@BYK BYK merged commit 0a24524 into master Mar 11, 2026
17 checks passed
@BYK BYK deleted the fix/security-dep-updates branch March 11, 2026 15:43
@sentry-release-bot sentry-release-bot bot mentioned this pull request Mar 11, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK