Skip to content

fix(deps): update npm to ^11.8.0 to fix tar vulnerability #1090

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
karlderkaefer wants to merge 1 commit into from
Closed

fix(deps): update npm to ^11.8.0 to fix tar vulnerability #1090

karlderkaefer wants to merge 1 commit into from
+2 −2

Conversation

@karlderkaefer
Copy link

@karlderkaefer karlderkaefer commented Feb 10, 2026
edited
Loading

Hi we have a high security finding on semantic-release for tar 7.5.2. The problem is by default it pulls semantic-release/npm which used npm dependency. lets upgrade to fix the vulnerability

Summary

This updates the npm dependency from ^11.6.2 to ^11.8.0 to address the high severity vulnerability in tar (GHSA-8qq5-rm4j-mr97).

Vulnerability Details

The tar package bundled in npm versions <= 11.7.0 is vulnerable to:

  • Arbitrary File Overwrite via insufficient path sanitization
  • Symlink Poisoning attacks

Version Analysis

npm version bundled tar status
11.7.0 ^7.5.2 ❌ Vulnerable
11.8.0 ^7.5.4 ✅ Fixed
11.9.0 ^7.5.7 ✅ Latest

Changes

  • Updated npm dependency from ^11.6.2 to ^11.8.0
  • Updated package-lock.json

Testing

  • npm audit returns 0 vulnerabilities after this change
  • All existing tests should pass (no functional changes)

Test plan

  • CI passes
  • npm audit shows no vulnerabilities related to tar

@karlderkaefer
fix(deps): update npm to ^11.8.0 to fix tar vulnerability
5689840 
This updates the npm dependency from ^11.6.2 to ^11.8.0 to address
the high severity vulnerability in tar (GHSA-8qq5-rm4j-mr97).

- npm@11.7.0 bundles tar@^7.5.2 (vulnerable)
- npm@11.8.0 bundles tar@^7.5.4 (fixed)
- npm@11.9.0 bundles tar@^7.5.7 (latest)

The vulnerability allows arbitrary file overwrite and symlink
poisoning via insufficient path sanitization.
@karlderkaefer
Copy link
Author

karlderkaefer commented Feb 10, 2026
edited
Loading

-@travi please check whenever you have time-
nevermind, the lock file was already updated in #1088

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@karlderkaefer