From dd8e6003daa384b7d30d73ff27c59dc78ab0cfa6 Mon Sep 17 00:00:00 2001 From: Joeri van Veen Date: Mon, 16 Mar 2026 15:39:14 +0100 Subject: [PATCH 1/2] fix(security): fix tar vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes ‘node-tar Symlink Path Traversal via Drive-Relative Linkpath’ by resolution to tar version 7.5.11. --- package.json | 9 ++--- yarn.lock | 98 +++++++++++++++++++++++++++++++--------------------- 2 files changed, 64 insertions(+), 43 deletions(-) diff --git a/package.json b/package.json index 427aaaa5..0fb67f13 100644 --- a/package.json +++ b/package.json @@ -35,6 +35,7 @@ }, "prettier": "@myparcel/prettier-config", "resolutions": { + "tar": "7.5.11", "vite": "^4.0.0" }, "dependencies": { @@ -43,8 +44,8 @@ "@vuepress/plugin-google-analytics": "2.0.0-beta.67", "@vuepress/plugin-register-components": "2.0.0-beta.67", "@vueuse/core": "^10.5.0", - "lodash": "^4.17.21", - "lodash-es": "^4.17.21", + "lodash": "4.17.23", + "lodash-es": "4.17.23", "tailwindcss": "^3.1.6", "vue-recaptcha": "^2.0.2", "vuepress": "2.0.0-beta.67" @@ -94,8 +95,8 @@ "vitest": "^0.34.6", "yaml": "^2.4.1" }, - "packageManager": "yarn@3.2.2", + "packageManager": "yarn@4.12.0", "volta": { - "node": "18.18.0" + "node": "24.14.0" } } diff --git a/yarn.lock b/yarn.lock index 7b79e530..ff5178df 100644 --- a/yarn.lock +++ b/yarn.lock @@ -603,6 +603,15 @@ __metadata: languageName: node linkType: hard +"@isaacs/fs-minipass@npm:^4.0.0": + version: 4.0.1 + resolution: "@isaacs/fs-minipass@npm:4.0.1" + dependencies: + minipass: ^7.0.4 + checksum: 5d36d289960e886484362d9eb6a51d1ea28baed5f5d0140bbe62b99bac52eaf06cc01c2bc0d3575977962f84f6b2c4387b043ee632216643d4787b0999465bf2 + languageName: node + linkType: hard + "@jest/schemas@npm:^29.6.3": version: 29.6.3 resolution: "@jest/schemas@npm:29.6.3" @@ -981,8 +990,8 @@ __metadata: hyperlink: ^5.0.4 is-ci: ^3.0.1 lint-staged: ^16.2.6 - lodash: ^4.17.21 - lodash-es: ^4.17.21 + lodash: 4.17.23 + lodash-es: 4.17.23 lodash-unified: ^1.0.2 markdown-it-multimd-table: ^4.1.3 mock-fs: ^5.1.2 @@ -2935,10 +2944,10 @@ __metadata: languageName: node linkType: hard -"chownr@npm:^2.0.0": - version: 2.0.0 - resolution: "chownr@npm:2.0.0" - checksum: c57cf9dd0791e2f18a5ee9c1a299ae6e801ff58fee96dc8bfd0dcb4738a6ce58dd252a3605b1c93c6418fe4f9d5093b28ffbf4d66648cb2a9c67eaef9679be2f +"chownr@npm:^3.0.0": + version: 3.0.0 + resolution: "chownr@npm:3.0.0" + checksum: fd73a4bab48b79e66903fe1cafbdc208956f41ea4f856df883d0c7277b7ab29fd33ee65f93b2ec9192fc0169238f2f8307b7735d27c155821d886b84aa97aa8d languageName: node linkType: hard @@ -4906,15 +4915,6 @@ __metadata: languageName: node linkType: hard -"fs-minipass@npm:^2.0.0": - version: 2.1.0 - resolution: "fs-minipass@npm:2.1.0" - dependencies: - minipass: ^3.0.0 - checksum: 1b8d128dae2ac6cc94230cc5ead341ba3e0efaef82dab46a33d171c044caaa6ca001364178d42069b2809c35a1c3c35079a32107c770e9ffab3901b59af8c8b1 - languageName: node - linkType: hard - "fs-minipass@npm:^3.0.0": version: 3.0.3 resolution: "fs-minipass@npm:3.0.3" @@ -6528,10 +6528,10 @@ __metadata: languageName: node linkType: hard -"lodash-es@npm:^4.17.21": - version: 4.17.21 - resolution: "lodash-es@npm:4.17.21" - checksum: 05cbffad6e2adbb331a4e16fbd826e7faee403a1a04873b82b42c0f22090f280839f85b95393f487c1303c8a3d2a010048bf06151a6cbe03eee4d388fb0a12d2 +"lodash-es@npm:4.17.23": + version: 4.17.23 + resolution: "lodash-es@npm:4.17.23" + checksum: b1bd1d141bbde8ffc72978e34b364065675806b0ca42ab99477d247fb2ae795faeed81db9283bf18ae1f096c2b6611ec0589e0503fa9724bf82e3dce947bad69 languageName: node linkType: hard @@ -6635,6 +6635,13 @@ __metadata: languageName: node linkType: hard +"lodash@npm:4.17.23": + version: 4.17.23 + resolution: "lodash@npm:4.17.23" + checksum: 7daad39758a72872e94651630fbb54ba76868f904211089721a64516ce865506a759d9ad3d8ff22a2a49a50a09db5d27c36f22762d21766e47e3ba918d6d7bab + languageName: node + linkType: hard + "lodash@npm:^4.17.14, lodash@npm:^4.17.20, lodash@npm:^4.17.21, lodash@npm:^4.7.0": version: 4.17.21 resolution: "lodash@npm:4.17.21" @@ -7079,7 +7086,14 @@ __metadata: languageName: node linkType: hard -"minizlib@npm:^2.1.1, minizlib@npm:^2.1.2": +"minipass@npm:^7.0.4, minipass@npm:^7.1.2": + version: 7.1.3 + resolution: "minipass@npm:7.1.3" + checksum: 2ede17c0bf8fec499be3360fd07f0ec7666189e3907320a9b653f1530cf84af98928c5b12d80bfb75f321833bf2e97785b940540213ebdafe97a5f10327e664d + languageName: node + linkType: hard + +"minizlib@npm:^2.1.2": version: 2.1.2 resolution: "minizlib@npm:2.1.2" dependencies: @@ -7089,6 +7103,15 @@ __metadata: languageName: node linkType: hard +"minizlib@npm:^3.1.0": + version: 3.1.0 + resolution: "minizlib@npm:3.1.0" + dependencies: + minipass: ^7.1.2 + checksum: a15e6f0128f514b7d41a1c68ce531155447f4669e32d279bba1c1c071ef6c2abd7e4d4579bb59ccc2ed1531346749665968fdd7be8d83eb6b6ae2fe1f3d370a7 + languageName: node + linkType: hard + "mkdirp@npm:^0.5.1, mkdirp@npm:^0.5.6": version: 0.5.6 resolution: "mkdirp@npm:0.5.6" @@ -7100,15 +7123,6 @@ __metadata: languageName: node linkType: hard -"mkdirp@npm:^1.0.3": - version: 1.0.4 - resolution: "mkdirp@npm:1.0.4" - bin: - mkdirp: bin/cmd.js - checksum: a96865108c6c3b1b8e1d5e9f11843de1e077e57737602de1b82030815f311be11f96f09cce59bd5b903d0b29834733e5313f9301e3ed6d6f6fba2eae0df4298f - languageName: node - linkType: hard - "mkdirp@npm:^3.0.1": version: 3.0.1 resolution: "mkdirp@npm:3.0.1" @@ -9980,17 +9994,16 @@ __metadata: languageName: node linkType: hard -"tar@npm:^6.1.11, tar@npm:^6.1.2": - version: 6.2.0 - resolution: "tar@npm:6.2.0" +"tar@npm:7.5.11": + version: 7.5.11 + resolution: "tar@npm:7.5.11" dependencies: - chownr: ^2.0.0 - fs-minipass: ^2.0.0 - minipass: ^5.0.0 - minizlib: ^2.1.1 - mkdirp: ^1.0.3 - yallist: ^4.0.0 - checksum: db4d9fe74a2082c3a5016630092c54c8375ff3b280186938cfd104f2e089c4fd9bad58688ef6be9cf186a889671bf355c7cda38f09bbf60604b281715ca57f5c + "@isaacs/fs-minipass": ^4.0.0 + chownr: ^3.0.0 + minipass: ^7.1.2 + minizlib: ^3.1.0 + yallist: ^5.0.0 + checksum: 7f6785a85dd571b88985e493ec86f692962cbfa7b4017961fddfd2241e0ff3bcd89ed347f4c02b5433aa22b30cca5566e8711543df054fda8fd12425f505378f languageName: node linkType: hard @@ -11351,6 +11364,13 @@ __metadata: languageName: node linkType: hard +"yallist@npm:^5.0.0": + version: 5.0.0 + resolution: "yallist@npm:5.0.0" + checksum: eba51182400b9f35b017daa7f419f434424410691bbc5de4f4240cc830fdef906b504424992700dc047f16b4d99100a6f8b8b11175c193f38008e9c96322b6a5 + languageName: node + linkType: hard + "yaml@npm:^1.10.2": version: 1.10.2 resolution: "yaml@npm:1.10.2" From 21d2714f4eb9e56fe9c47cb10bc82622f861131d Mon Sep 17 00:00:00 2001 From: Joeri van Veen Date: Tue, 17 Mar 2026 10:24:29 +0100 Subject: [PATCH 2/2] fix(security): fix tar vulnerability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes ‘node-tar Symlink Path Traversal via Drive-Relative Linkpath’ by resolution to tar version 7.5.11. --- package.json | 4 ++-- yarn.lock | 13 +++---------- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/package.json b/package.json index 0fb67f13..ada0522b 100644 --- a/package.json +++ b/package.json @@ -44,8 +44,8 @@ "@vuepress/plugin-google-analytics": "2.0.0-beta.67", "@vuepress/plugin-register-components": "2.0.0-beta.67", "@vueuse/core": "^10.5.0", - "lodash": "4.17.23", - "lodash-es": "4.17.23", + "lodash": "^4.17.21", + "lodash-es": "^4.17.21", "tailwindcss": "^3.1.6", "vue-recaptcha": "^2.0.2", "vuepress": "2.0.0-beta.67" diff --git a/yarn.lock b/yarn.lock index ff5178df..ef50e13b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -990,8 +990,8 @@ __metadata: hyperlink: ^5.0.4 is-ci: ^3.0.1 lint-staged: ^16.2.6 - lodash: 4.17.23 - lodash-es: 4.17.23 + lodash: ^4.17.21 + lodash-es: ^4.17.21 lodash-unified: ^1.0.2 markdown-it-multimd-table: ^4.1.3 mock-fs: ^5.1.2 @@ -6528,7 +6528,7 @@ __metadata: languageName: node linkType: hard -"lodash-es@npm:4.17.23": +"lodash-es@npm:^4.17.21": version: 4.17.23 resolution: "lodash-es@npm:4.17.23" checksum: b1bd1d141bbde8ffc72978e34b364065675806b0ca42ab99477d247fb2ae795faeed81db9283bf18ae1f096c2b6611ec0589e0503fa9724bf82e3dce947bad69 @@ -6635,13 +6635,6 @@ __metadata: languageName: node linkType: hard -"lodash@npm:4.17.23": - version: 4.17.23 - resolution: "lodash@npm:4.17.23" - checksum: 7daad39758a72872e94651630fbb54ba76868f904211089721a64516ce865506a759d9ad3d8ff22a2a49a50a09db5d27c36f22762d21766e47e3ba918d6d7bab - languageName: node - linkType: hard - "lodash@npm:^4.17.14, lodash@npm:^4.17.20, lodash@npm:^4.17.21, lodash@npm:^4.7.0": version: 4.17.21 resolution: "lodash@npm:4.17.21"