Skip to content

chore: Update tar-fs, tmp subdependencies to address vulnerabilities #7597

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 22, 2025
Merged

chore: Update tar-fs, tmp subdependencies to address vulnerabilities #7597

merged 1 commit into from
Oct 22, 2025
+8 −10

Conversation

@camdecoster
Copy link
Contributor

@camdecoster camdecoster commented Oct 21, 2025

Description

Update tar-fs, tmp subdependencies to address vulnerabilities surfaced by npm audit.

Changes

  • Update tar-fs to v2.1.4
  • Update tmp to v0.2.5

Testing

CI passing should be a good enough check.

Notes

The audit report showed the following. The MathJax vulnerability is a known issue that we've chosen to not to address for now.

# npm audit report

mathjax  <=2.7.9
Severity: high
MathJax Regular expression Denial of Service (ReDoS) - https://github.com/advisories/GHSA-v638-q856-grg8
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/@plotly/mathjax-v2

tar-fs  2.0.0 - 2.1.3
Severity: high
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball - https://github.com/advisories/GHSA-vj76-c3g6-qr5v
fix available via `npm audit fix`
node_modules/tar-fs

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix`
node_modules/tmp

3 vulnerabilities (1 low, 2 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

@camdecoster camdecoster requested a review from emilykl October 21, 2025 19:56
@camdecoster camdecoster self-assigned this Oct 21, 2025
@camdecoster camdecoster changed the title Update tar-fs, tmp subdependencies to address vulnerabilities fix: Update tar-fs, tmp subdependencies to address vulnerabilities Oct 21, 2025
@camdecoster camdecoster changed the title fix: Update tar-fs, tmp subdependencies to address vulnerabilities chore: Update tar-fs, tmp subdependencies to address vulnerabilities Oct 21, 2025
emilykl
emilykl approved these changes Oct 22, 2025
View reviewed changes
Copy link
Contributor

@emilykl emilykl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@camdecoster camdecoster merged commit 9e9572b into master Oct 22, 2025
6 checks passed
@camdecoster camdecoster deleted the cam/update-dependencies-20251021 branch October 22, 2025 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emilykl emilykl emilykl approved these changes

Assignees

@camdecoster camdecoster

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@camdecoster @emilykl