Upgrade `tar` used to extract SWC binary by LucianBuzzo · Pull Request #89158 · vercel/next.js

LucianBuzzo · 2026-01-28T11:18:48Z

Stacked on #89201

See GHSA-r6q2-hw4h-h46w

nextjs-bot · 2026-01-28T11:19:17Z

Allow CI Workflow Run

approve CI run for commit: 40e9675de6e6245c6350999c09662c58625a4b3e

Note: this should only be enabled once the PR is ready to go and can only be enabled by a maintainer

eps1lon · 2026-01-28T12:59:27Z

Doesn't look like we're affected since we're controlling the tar archive (SWC).

Can you make sure you ran pnpm types-and-precompiled and committed the changes?

LucianBuzzo · 2026-01-28T16:08:40Z

@eps1lon Yep, I don't think this CVE is material to next 👍
It does get flagged by tools like the AWS vulnerability scanner which causes noise downstream, hence my PR here 😄
I tried running pnpm types-and-precompiled but I'm hitting a seemingly unrelated issue with zlib:

next:typescript: ../../node_modules/.pnpm/minizlib@3.1.0/node_modules/minizlib/dist/commonjs/index.d.ts:21:205 - error TS2694: Namespace '"zlib"' has no exported member 'ZstdCompress'.
next:typescript: 
next:typescript: 21 export type ZlibHandle = realZlib.Gzip | realZlib.Gunzip | realZlib.Deflate | realZlib.Inflate | realZlib.DeflateRaw | realZlib.InflateRaw | realZlib.BrotliCompress | realZlib.BrotliDecompress | realZlib.ZstdCompress | realZlib.ZstdDecompress;
next:typescript:                                                                                                                                                                                                                ~~~~~~~~~~~~
next:typescript: ../../node_modules/.pnpm/minizlib@3.1.0/node_modules/minizlib/dist/commonjs/index.d.ts:21:229 - error TS2694: Namespace '"zlib"' has no exported member 'ZstdDecompress'.
next:typescript: 
next:typescript: 21 export type ZlibHandle = realZlib.Gzip | realZlib.Gunzip | realZlib.Deflate | realZlib.Inflate | realZlib.DeflateRaw | realZlib.InflateRaw | realZlib.BrotliCompress | realZlib.BrotliDecompress | realZlib.ZstdCompress | realZlib.ZstdDecompress;
next:typescript:                                                                                                                                                                                                                                        ~~~~~~~~~~~~~~
next:typescript: 
next:typescript: 
next:typescript: Found 2 errors.
next:typescript:  ELIFECYCLE  Command failed with exit code 1.
next:typescript: ERROR: command finished with error: command (/Volumes/owc-express-1m2/projects/next.js/packages/next) /Users/lucianbuzzo/Library/pnpm/.tools/pnpm/9.6.0/bin/pnpm run typescript exited (1)
next#typescript: command (/Volumes/owc-express-1m2/projects/next.js/packages/next) /Users/lucianbuzzo/Library/pnpm/.tools/pnpm/9.6.0/bin/pnpm run typescript exited (1)

Any idea what I might be doing wrong?

eps1lon · 2026-01-28T16:46:29Z

Yeah there's more type issues this unraveled that I'm fixing now so that we can land this soon.

nextjs-bot · 2026-01-29T00:18:31Z

Tests Passed

LucianBuzzo · 2026-01-29T12:01:13Z

Awesome thanks @eps1lon - it's much appreciated.

See GHSA-r6q2-hw4h-h46w

eps1lon · 2026-01-29T15:44:40Z

@@ -32,7 +32,6 @@
    "@types/cross-spawn": "6.0.0",
    "@types/node": "20.14.2",
    "@types/prompts": "2.4.2",
-    "@types/tar": "6.1.13",


7.x ships with types

eps1lon · 2026-01-29T15:45:55Z

@@ -1,7 +1,7 @@
 import fs from 'fs'
 import path from 'path'
 import * as Log from '../build/output/log'
-import tar from 'next/dist/compiled/tar'
+import { x } from 'next/dist/compiled/tar'


Fixes https://github.com/vercel/next.js/actions/runs/21478682004/job/61871994420?pr=89158#step:35:228.

Matches how we use 7.x in CNA already:

next.js/packages/create-next-app/helpers/examples.ts

Line 5 in ab4b372

import { x } from 'tar'

nextjs-bot added the type: next label Jan 28, 2026

eps1lon changed the title ~~fix(deps): resolve CVE-2026-23950 by upgrading tar to v7.5.7~~ Upgrade tar used to extract SWC binary Jan 28, 2026

eps1lon mentioned this pull request Jan 29, 2026

Bump Node.js types #89199

Draft

eps1lon force-pushed the lucianbuzzo/CVE-2026-23950 branch from 40e9675 to 7b40e1d Compare January 29, 2026 00:12

eps1lon force-pushed the lucianbuzzo/CVE-2026-23950 branch from 7b40e1d to db902ea Compare January 29, 2026 00:20

eps1lon mentioned this pull request Jan 29, 2026

Ensure .md licenses are included in vendored packages #89201

Merged

fix(deps): resolve CVE-2026-23950 by upgrading tar to v7.5.7

daadf49

See GHSA-r6q2-hw4h-h46w

eps1lon force-pushed the lucianbuzzo/CVE-2026-23950 branch from db902ea to e388d46 Compare January 29, 2026 12:46

eps1lon approved these changes Jan 29, 2026

View reviewed changes

eps1lon force-pushed the lucianbuzzo/CVE-2026-23950 branch from e388d46 to d009027 Compare January 29, 2026 15:44

nextjs-bot added the create-next-app Related to our CLI tool for quickly starting a new Next.js application. label Jan 29, 2026

eps1lon reviewed Jan 29, 2026

View reviewed changes

eps1lon force-pushed the lucianbuzzo/CVE-2026-23950 branch from d009027 to a94e96c Compare January 29, 2026 16:09

Fix types-and-precompiled

ab2151c

eps1lon force-pushed the lucianbuzzo/CVE-2026-23950 branch from a94e96c to ab2151c Compare January 29, 2026 16:57

eps1lon merged commit a5a9293 into vercel:canary Jan 29, 2026
278 of 280 checks passed

github-actions Bot added the locked label Feb 13, 2026

github-actions Bot locked as resolved and limited conversation to collaborators Feb 13, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade `tar` used to extract SWC binary #89158

Upgrade `tar` used to extract SWC binary #89158
eps1lon merged 2 commits intovercel:canaryfrom
LucianBuzzo:lucianbuzzo/CVE-2026-23950

LucianBuzzo commented Jan 28, 2026 •

edited by eps1lon

Loading

Uh oh!

nextjs-bot commented Jan 28, 2026

Uh oh!

eps1lon commented Jan 28, 2026

Uh oh!

LucianBuzzo commented Jan 28, 2026

Uh oh!

eps1lon commented Jan 28, 2026

Uh oh!

nextjs-bot commented Jan 29, 2026 •

edited

Loading

Uh oh!

LucianBuzzo commented Jan 29, 2026

Uh oh!

eps1lon Jan 29, 2026

Uh oh!

eps1lon Jan 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

LucianBuzzo commented Jan 28, 2026 • edited by eps1lon Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nextjs-bot commented Jan 28, 2026

Uh oh!

eps1lon commented Jan 28, 2026

Uh oh!

LucianBuzzo commented Jan 28, 2026

Uh oh!

eps1lon commented Jan 28, 2026

Uh oh!

nextjs-bot commented Jan 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Tests Passed

Uh oh!

LucianBuzzo commented Jan 29, 2026

Uh oh!

eps1lon Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

eps1lon Jan 29, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

LucianBuzzo commented Jan 28, 2026 •

edited by eps1lon

Loading

nextjs-bot commented Jan 29, 2026 •

edited

Loading