[security] deps: vulnerability in tar (moderate) #99
Labels
No labels
autopilot:pending-human
source:analyste
source:defenseur
source:human
source:medic
status:approved
status:blocked
status:in-progress
status:needs-clarification
status:needs-fix
status:ready
status:review
status:triage
type:bug
type:feature
type:infra
type:refactor
type:schema
type:security
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: maximus/simpl-liste#99
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Contexte
Detecte par le Defenseur (npm audit) le 2026-06-30. GHSA-vmf3-w455-68vh ("node-tar applies PAX size override to intermediary GNU long-name/long-link headers, file smuggling"), moderate, range
<=7.5.15.Chaine transitive unique :
expo > @expo/cli@54.0.24 > tar@7.5.15(dev-only, tooling CLI).@expo/clideclare^7.5.2, compatible avec7.5.19(dernier patch registre, corrige le CVE des7.5.16).Travail a faire
"tar": "^7.5.19"dans le blocoverrides["@expo/cli"]existantnpm installnpm ls tar>= 7.5.16,npm auditne liste plus tarFichiers concernes
package.json(sectionoverrides.@expo/cli)package-lock.json(regenere)Surface de test
Aucune (dev-only, tooling CLI Expo). Verification :
npx expo start/npx expo --versionfonctionnent toujours.Criteres d'acceptation
npm audit --json | jq '.vulnerabilities.tar'videnpm ls tar>= 7.5.16ws,undici) inchanges dans le bloc@expo/cliComplexite estimee
Simple.
Plan global
Fait partie du lot #95-#99 (5 fixes deps du meme scan Defenseur). Voir issue #96 pour le detail du plan combine et le bloc
overridesfinal complet.