[TOOL-5898] Update tar to >=7.5.4 to resolve CVE-2026-23950#14
[TOOL-5898] Update tar to >=7.5.4 to resolve CVE-2026-23950#14ThomasTrepanier merged 1 commit intomainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
ThomasTrepanier
requested review from
a team,
BobbyWhiskey and
cptCloud
and removed request for
a team
Added resolutions to force tar>=7.5.4 since upstream @yarnpkg/core still requires tar@^6 with no patched v6 release available.
ThomasTrepanier
force-pushed
the
thomtrep/TOOL-5898-tar
branch
from
35a07c1 to
5d87103
Compare
| }, | ||
| "resolutions": { | ||
| "tar": "^7.5.4" | ||
| }, |
There was a problem hiding this comment.
Untested tar v7 compatibility with Yarn internals
Medium Severity
Forcing tar@^7.5.4 via resolutions upgrades @yarnpkg/core from its expected tar@^6 dependency to v7, which includes a breaking change: the chmod option now defaults to false instead of implicitly true. This means extracted files won't preserve permissions from tar archives by default. While this likely won't affect normal package extraction (system defaults apply), it's an untested configuration that could cause unexpected behavior with executable files or special permissions if Yarn's internal code relies on tar v6's permission-preserving behavior.
BobbyWhiskey
left a comment
BobbyWhiskey
left a comment
There was a problem hiding this comment.
@BobbyWhiskey reviewed 2 files and all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on cptCloud and ThomasTrepanier).
2 participants
This change is
Summary
resolutionsinpackage.jsonto forcetar@>=7.5.4, resolving CVE-2026-23950 (high severity race condition in node-tar path reservations via Unicode collisions on macOS APFS).@yarnpkg/core(latest 4.5.0) still depends ontar@^6with no patched v6 release available, so a resolution override was the only viable fix path.tarinstances now resolve to7.5.9.