Skip to content

fix: resolve CVE-2026-29786 and CVE-2026-31802 node-tar path traversal#302

Merged
msingleton merged 1 commit intomainfrom
mike/CVE-2026-29786-31802
Mar 11, 2026
Merged

fix: resolve CVE-2026-29786 and CVE-2026-31802 node-tar path traversal#302
msingleton merged 1 commit intomainfrom
mike/CVE-2026-29786-31802

Conversation

@msingleton
Copy link
Copy Markdown
Member

@msingleton msingleton commented Mar 11, 2026
edited
Loading

Summary

  • Bumps tar resolution from ^7.5.8 to ^7.5.11 to fix two path traversal vulnerabilities in node-tar
  • CVE-2026-29786: Path traversal via drive-relative hardlink targets (fixed in 7.5.10)
  • CVE-2026-31802: Symlink path traversal via drive-relative linkpath (fixed in 7.5.11)

Test plan

  • yarn test passes
  • Verified yarn.lock resolves tar to 7.5.11
  • Confirmed SimpleExample is unaffected (no separate lockfile)
  • Dev dependency only — no impact on shipped SDK code

🤖 Generated with Claude Code

@msingleton @claude
fix: resolve CVE-2026-29786 and CVE-2026-31802 node-tar path traversal
cd846b3 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@msingleton msingleton merged commit 2503c0b into main Mar 11, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lankybutmacho lankybutmacho lankybutmacho approved these changes

@sambrown3 sambrown3 Awaiting requested review from sambrown3

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msingleton @lankybutmacho