From 99efae3139cd2846c0550039e20f94a72225e2df Mon Sep 17 00:00:00 2001
From: Kevin Herembourg <kevin.herembourg@gmail.com>
Date: Mon, 16 Feb 2026 14:34:04 +0100
Subject: [PATCH] fix: resolve tar vulnerabilities (CVE-2026-23745,
 CVE-2026-23950, CVE-2026-24842)

Update tar resolution in root package.json from >=7.5.4 to >=7.5.7 and
add npm override in expo test project to force tar to >=7.5.7, fixing
Dependabot alerts #525, #526, #530 for path traversal and race
condition vulnerabilities.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json                                         | 2 +-
 test-projects/expo-purchasely-test/package-lock.json | 6 +++---
 test-projects/expo-purchasely-test/package.json      | 3 ++-
 yarn.lock                                            | 8 ++++----
 4 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/package.json b/package.json
index 2db7c05..96b81e2 100644
--- a/package.json
+++ b/package.json
@@ -31,7 +31,7 @@
     "js-yaml": "^4.1.1",
     "lodash": ">=4.17.23",
     "lodash-es": ">=4.17.23",
-    "tar": ">=7.5.4"
+    "tar": ">=7.5.7"
   },
   "workspaces": [
     "packages/*",
diff --git a/test-projects/expo-purchasely-test/package-lock.json b/test-projects/expo-purchasely-test/package-lock.json
index 0a7de78..d0ed737 100644
--- a/test-projects/expo-purchasely-test/package-lock.json
+++ b/test-projects/expo-purchasely-test/package-lock.json
@@ -8212,9 +8212,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "7.5.2",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.2.tgz",
-      "integrity": "sha512-7NyxrTE4Anh8km8iEy7o0QYPs+0JKBTj5ZaqHg6B39erLg0qYXN3BijtShwbsNSvQ+LN75+KV+C4QR/f6Gwnpg==",
+      "version": "7.5.9",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.9.tgz",
+      "integrity": "sha512-BTLcK0xsDh2+PUe9F6c2TlRp4zOOBMTkoQHQIWSIzI0R7KG46uEwq4OPk2W7bZcprBMsuaeFsqwYr7pjh6CuHg==",
       "license": "BlueOak-1.0.0",
       "dependencies": {
         "@isaacs/fs-minipass": "^4.0.0",
diff --git a/test-projects/expo-purchasely-test/package.json b/test-projects/expo-purchasely-test/package.json
index 08f15d6..578bf8b 100644
--- a/test-projects/expo-purchasely-test/package.json
+++ b/test-projects/expo-purchasely-test/package.json
@@ -24,6 +24,7 @@
   },
   "private": true,
   "overrides": {
-    "@isaacs/brace-expansion": ">=5.0.1"
+    "@isaacs/brace-expansion": ">=5.0.1",
+    "tar": ">=7.5.7"
   }
 }
\ No newline at end of file
diff --git a/yarn.lock b/yarn.lock
index 965d2cf..94d571b 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -12547,16 +12547,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar@npm:>=7.5.4":
-  version: 7.5.7
-  resolution: "tar@npm:7.5.7"
+"tar@npm:>=7.5.7":
+  version: 7.5.9
+  resolution: "tar@npm:7.5.9"
   dependencies:
     "@isaacs/fs-minipass": ^4.0.0
     chownr: ^3.0.0
     minipass: ^7.1.2
     minizlib: ^3.1.0
     yallist: ^5.0.0
-  checksum: 82fa04804b6cae4c0b46b84e97a08c39e1c17bb959350baa32d139bcf5e1fc7ebc3ceb72465dd3e2e311992386ecc13599a257d5672158490ceb9464146d5573
+  checksum: 26fbbdf536895814167d03e4883f80febb6520729169c54d0f29ee8a163557283862752493f0e5b60800a6f3608aac3250c41fac8e20a4f056ba4fa63f3dbad7
   languageName: node
   linkType: hard