Skip to content

deps: update tar to 7.5.2 to fix CVE-2025-64118 #1493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
soinclined wants to merge 1 commit into
base: main
Choose a base branch
from
Open

deps: update tar to 7.5.2 to fix CVE-2025-64118 #1493

soinclined wants to merge 1 commit into from
+9 −49

Conversation

@soinclined
Copy link

@soinclined soinclined commented Nov 13, 2025

Description

This PR updates the tar package from version 7.5.1 to 7.5.2 to address security vulnerability CVE-2025-64118, which was flagged by Dependabot alert #371.

The vulnerability involves a race condition in tar.list() with sync: true that could lead to uninitialized memory exposure if a tar file is truncated while being read. While the conditions for exploitation are specific (requires sync mode, attacker-controlled file truncation, and processing of entry contents), updating to the patched version eliminates the risk entirely.

The fix was implemented using pnpm's overrides feature to force all transitive dependencies to use tar@7.5.2, ensuring minimal changes to the dependency tree. As a bonus, this also cleaned up an old unused tar@6.2.1 dependency and its related packages.

Test plan

  • ✅ All library builds pass (pnpm build:libs)
  • ✅ All unit tests pass (pnpm test:vitest - 48 tests across 15 suites)
  • ✅ Lint checks pass (pnpm lint)
  • ✅ Verified tar@7.5.2 is the only tar version in pnpm-lock.yaml
  • ⏳ CI checks pending (will verify on PR)

Package updates

This is a security patch for a transitive dependency. No changeset is required as this doesn't affect the public API of any published packages.

Link to Devin run: https://app.devin.ai/sessions/ed69d15ffcf0484dac24e49393cfc641
Requested by: Penelope (@soinclined)

Review checklist:

@devin-ai-integration @soinclined
deps: update tar to 7.5.2 to fix CVE-2025-64118
03cdad5 
Update tar from 7.5.1 to 7.5.2 to address security vulnerability CVE-2025-64118.
This fixes a race condition in tar.list() that could lead to uninitialized memory exposure.

The fix was implemented using pnpm overrides to ensure minimal changes to the dependency tree.

Co-Authored-By: Penelope <penelope@paella.dev>
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Nov 13, 2025

Original prompt from Penelope 
https://github.com/Crossmint/crossmint-sdk/security/dependabot/371 

please create a PR that does what this dependabot cannot, confirm it doesn't break anything and changes as little as possible, and then share hte PR with me to review

@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Nov 13, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@changeset-bot
Copy link

changeset-bot bot commented Nov 13, 2025

⚠️ No Changeset found

Latest commit: 03cdad5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel
Copy link

vercel bot commented Nov 13, 2025

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
smart-wallet-auth-demo Ignored Ignored Nov 13, 2025 1:50am

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@soinclined