Skip to content

Comments

Deps security#715

Draft
AlexAxthelm wants to merge 4 commits intomainfrom
deps-security
Draft

Deps security#715
AlexAxthelm wants to merge 4 commits intomainfrom
deps-security

Conversation

@AlexAxthelm
Copy link
Collaborator

@AlexAxthelm AlexAxthelm commented Jan 28, 2026

Adds tar as a development dependency on a recent version, to
workaround security issues with older tar transitively added through
semantic-release

Updates dependencies that are outdated and throwing security warnings

@AlexAxthelm
build(dev-deps): Add placeholder tar dependency
dba744c 
Adds `tar` as a development dependency on a recent version, to
workaround security issues with older `tar` transitively added through
`semantic-release`
@AlexAxthelm
npm audit fix
44e40c7
@AlexAxthelm AlexAxthelm requested review from Copilot and jdhoffa and removed request for Copilot January 28, 2026 09:55
@AlexAxthelm AlexAxthelm self-assigned this Jan 28, 2026
@github-actions
Copy link

github-actions bot commented Jan 28, 2026
edited
Loading

Expected version change and release notes:

1.11.0-dev.4 (v1.11.0-dev.3...deps-security ) (2026-02-10T13:37 UTC)

Build System

  • dev-deps: Add placeholder tar dependency (dba744c)

@github-actions
Copy link

github-actions bot commented Jan 28, 2026

Azure Static Web Apps: Your stage site is ready! Visit it here: https://proud-glacier-0f640931e-715.westus2.2.azurestaticapps.net

@AlexAxthelm AlexAxthelm requested a review from Copilot January 28, 2026 14:02
Copilot AI reviewed Jan 28, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the project’s Node.js dependency tree to address security warnings, primarily by introducing a newer tar version and refreshing the lockfile.

Changes:

  • Add tar@^7.5.7 as a devDependency to mitigate vulnerable transitive tar usage.
  • Regenerate package-lock.json, updating a large set of transitive dependencies (including npm and its bundled deps).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds tar as an explicit devDependency to influence dependency resolution for security remediation.
package-lock.json Updates resolved dependency graph to include tar@7.5.7 and refreshes many transitive packages.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
Comment on lines 83 to 85
"tailwindcss": "^4.1.7",
"tar": "^7.5.7",
"ts-node": "^10.9.2",
Copy link

Copilot AI Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Adding tar as a top-level devDependency doesn’t ensure all transitive/bundled tar copies get upgraded. The lockfile still includes other tar versions (e.g., npm bundles its own tar), so if the goal is to eliminate a specific vulnerable transitive tar, consider using overrides (or bumping the upstream package that brings tar) and then regenerating the lockfile to verify only the intended version remains.

Copilot uses AI. Check for mistakes.
@AlexAxthelm AlexAxthelm marked this pull request as draft January 28, 2026 14:41
@github-actions
Copy link

github-actions bot commented Feb 2, 2026

Azure Static Web Apps: Your stage site is ready! Visit it here: https://proud-glacier-0f640931e-715.westus2.2.azurestaticapps.net

@github-actions
Copy link

github-actions bot commented Feb 10, 2026

Azure Static Web Apps: Your stage site is ready! Visit it here: https://proud-glacier-0f640931e-715.westus2.2.azurestaticapps.net

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jdhoffa jdhoffa Awaiting requested review from jdhoffa

At least 1 approving review is required to merge this pull request.

Assignees

@AlexAxthelm AlexAxthelm

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlexAxthelm