Skip to content

BHP1-1504 Bump node-tar in behave_components to fix CVE#217

Merged
rjsheperd merged 1 commit intomainfrom
BHP1-1504-bump-behave-components-deps
Apr 27, 2026
Merged

BHP1-1504 Bump node-tar in behave_components to fix CVE#217
rjsheperd merged 1 commit intomainfrom
BHP1-1504-bump-behave-components-deps

Conversation

@rjsheperd
Copy link
Copy Markdown
Contributor

@rjsheperd rjsheperd commented Apr 21, 2026

Purpose

Pin transitive tar (pulled via terser-webpack-plugin > cacache) to ^6.2.1 via both resolutions (yarn) and overrides (npm) in bases/behave_components/package.json, then regenerate both lockfiles. Closes the "Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS" advisory. Also adds nodejs + yarn to projects/behave/flake.nix so the update is reproducible in the nix dev shell.

Related Issues

https://sig-gis.atlassian.net/browse/BHP1-1504

@rjsheperd
BHP1-1504: bump tar to ^6.2.1 in behave_components to fix node-tar CVE
a95098c 
Pin transitive `tar` (pulled via terser-webpack-plugin > cacache) to
>=6.2.1 via both yarn `resolutions` and npm `overrides` so the
behave_components yarn.lock and package-lock.json stop showing the
"Race Condition in node-tar Path Reservations via Unicode Ligature
Collisions on macOS APFS" advisory.

Also adds `nodejs` and `yarn` to the projects/behave dev flake so
regenerating these lockfiles is reproducible in the nix shell.
@rjsheperd rjsheperd merged commit e4f1e57 into main Apr 27, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rjsheperd