Skip to content

Docs npm-tar vulnerability #680

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
evantahler wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Docs npm-tar vulnerability #680

evantahler wants to merge 1 commit into from
+13 −5

Conversation

@evantahler
Copy link
Contributor

@evantahler evantahler commented Jan 20, 2026
edited by cursor bot
Loading

Update tar package to version 7.5.4 to remediate CVE-2026-23745, a high-severity vulnerability in npm-tar <= 7.5.2.

The vulnerability was in the tar package, a transitive dependency of @tailwindcss/oxide. A pnpm override was added to package.json and pnpm-lock.yaml to force the use of tar >= 7.5.3, which updated it to 7.5.4.

Linear Issue: TOO-351

Open in Cursor Open in Web

Note

Aligns transitive dependency resolution to a secure tar version.

  • Adds pnpm.overrides.tar: ">=7.5.3" in package.json
  • Updates pnpm-lock.yaml to resolve tar to 7.5.4 and adjusts related entries (e.g., @tailwindcss/oxide now referencing tar@7.5.4)

Written by Cursor Bugbot for commit 8c9ce00. This will update automatically on new commits. Configure here.

@cursoragent
Fix npm-tar vulnerability (CVE-2026-23745) by upgrading to 7.5.4
8c9ce00 
- Added pnpm override to force tar >= 7.5.3
- Updated pnpm-lock.yaml to use tar@7.5.4
- Resolves TOO-351
@cursor
Copy link

cursor bot commented Jan 20, 2026

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
Learn more about Cursor Agents

@vercel
Copy link

vercel bot commented Jan 20, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
docs Ready Ready Preview, Comment Jan 20, 2026 11:13pm

Request Review

@evantahler evantahler requested a review from sdserranog January 20, 2026 23:07
@evantahler evantahler marked this pull request as ready for review January 20, 2026 23:07
@evantahler evantahler enabled auto-merge (squash) January 20, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sdserranog sdserranog Awaiting requested review from sdserranog

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@evantahler @cursoragent