Skip to content

Please bump tar-fs dependencies in package-lock.json #7327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
taylorreece opened this issue Jun 4, 2025 · 0 comments · Fixed by #7328
Closed

Please bump tar-fs dependencies in package-lock.json #7327

taylorreece opened this issue Jun 4, 2025 · 0 comments · Fixed by #7328
Labels
security type: bug code to address defects in shipped code

Comments

@taylorreece
Copy link

Describe the bug

It seems like #7322 was closed prematurely.

Steps to reproduce

Currently, if you initialize a new node project

mkdir my-project
cd my-project
npm init -y

Then, install netlify-cli into that project

npm install -D netlify-cli

npm warns of downstream tar-fs dependencies bound to a "risky" CVE. Because the netlify-cli turns its package-lock.json into a npm-shrinkwrap.json, a user cannot easily npm audit fix the downstream dependency in their own project. People who install netlify-cli are bound to versions 2.1.2 and 3.0.8 of tar-fs when patched versions 2.1.3 and 3.0.9 are available.

It'd be cool if we could reopen and merge #7322, so when you install netlify-cli, you get patched versions of tar-fs.

Configuration

No response

Environment

  System:
    OS: macOS 15.5
    CPU: (10) arm64 Apple M1 Pro
    Memory: 120.16 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.12.0 - ~/.asdf/installs/nodejs/22.12.0/bin/node
    Yarn: 1.22.19 - ~/.asdf/shims/yarn
    npm: 10.9.0 - ~/.asdf/plugins/nodejs/shims/npm
@taylorreece taylorreece added the type: bug code to address defects in shipped code label Jun 4, 2025
serhalp added a commit that referenced this issue Jun 4, 2025
@serhalp
fix(deps): upgrade deps to resolve 4 security alerts
57acf52 
This is just the result of running `npm audit fix`.

Previously:
```
4 vulnerabilities (1 low, 2 moderate, 1 high)
```

After:
```
0 vulnerabilities
```

Fixes #7327.

It looks like Dependabot malfunctioned in #7322.
@serhalp serhalp mentioned this issue Jun 4, 2025
Merged
serhalp added a commit that referenced this issue Jun 6, 2025
@serhalp
fix(deps): upgrade deps to resolve 4 security alerts (#7328)
2991b9f 
* fix(deps): upgrade deps to resolve 4 security alerts

This is just the result of running `npm audit fix`.

Previously:
```
4 vulnerabilities (1 low, 2 moderate, 1 high)
```

After:
```
0 vulnerabilities
```

Fixes #7327.

It looks like Dependabot malfunctioned in #7322.

* fix(deps): dedupe npm deps

* fix(deps): dedupe deps again

* fix(deps): dedupe again after rebase
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security type: bug code to address defects in shipped code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(deps): upgrade deps to resolve 4 security alerts netlify/cli
2 participants
@serhalp @taylorreece