Skip to content

Upgrade tar to 7.5.4 to address CVE-2026-23950 #3271

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
legendecas merged 2 commits into from
Jan 26, 2026
Merged

Upgrade tar to 7.5.4 to address CVE-2026-23950 #3271

legendecas merged 2 commits into from
Jan 26, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited
Loading

tar 7.5.2 has two security vulnerabilities patched in 7.5.4:

  • Race condition via Unicode ligature collisions on macOS APFS (≤7.5.3)
  • Arbitrary file overwrite and symlink poisoning (≤7.5.2)

Changes

  • Bump tar dependency from ^7.5.2 to ^7.5.4 in package.json

The tar package is used in lib/install.js for extracting Node.js header files during installation.

Original prompt

This section details on the original issue you should resolve

<issue_title>CVE-2026-23950 - dependency update request for node-tard</issue_title>
<issue_description>GHSA-r6q2-hw4h-h46w

node-tar is currently 7.5.2, CVE patched in 7.5.4</issue_description>

<agent_instructions>Upgrade this dependency to avoid this CVE.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@cclauss
Upgrade tar dependency from 7.5.2 to 7.5.4 to fix CVE-2026-23950
1da687b 
Co-authored-by: cclauss <3709715+cclauss@users.noreply.github.com>
Copilot AI changed the title [WIP] Update node-tar to version 7.5.4 to mitigate CVE-2026-23950 Upgrade tar to 7.5.4 to address CVE-2026-23950 Jan 22, 2026
Copilot AI requested a review from cclauss January 22, 2026 13:49
@legendecas legendecas marked this pull request as ready for review January 26, 2026 14:08
@legendecas legendecas merged commit 7bf371c into main Jan 26, 2026
37 checks passed
@legendecas legendecas deleted the copilot/update-node-tar-dependency branch January 26, 2026 14:09
@nodejs-github-bot nodejs-github-bot mentioned this pull request Jan 26, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@legendecas legendecas legendecas approved these changes

+1 more reviewer

@cclauss cclauss cclauss approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@cclauss cclauss

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE-2026-23950 - dependency update request for node-tard

3 participants

@cclauss @legendecas