Skip to content

npm audit reports high severity vulnerabilities via tar (make-fetch-happen -> cacache -> tar) #46

New issue
New issue
Open
Open
npm audit reports high severity vulnerabilities via tar (make-fetch-happen -> cacache -> tar)#46
@pmd3d

Description

@pmd3d
pmd3d
opened on Jan 25, 2026

Summary

Running npm audit after installing purescript (which depends on purescript-installer) reports 5 high severity vulnerabilities coming from a vulnerable tar version pulled in through:

purescript → purescript-installer → make-fetch-happen → cacache → tar

npm audit fix reports that fixes are available only with --force and that it may install a different/breaking version of purescript.

Affected advisories

node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - GHSA-8qq5-rm4j-mr97

Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - GHSA-r6q2-hw4h-h46w

Steps to reproduce

Using a clean environment (example: Ubuntu Docker):

docker run --rm -it ubuntu:latest bash
apt-get update
apt-get install -y curl ca-certificates
curl -fsSL https://deb.nodesource.com/setup_current.x | bash -
apt-get install -y nodejs

mkdir -p /work
cd /work
npm init -y
npm install --save-dev purescript
npm audit

Actual result

npm audit reports (excerpt):

tar <=7.5.3
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - GHSA-r6q2-hw4h-h46w
fix available via npm audit fix --force
Will install purescript@0.14.9, which is a breaking change
node_modules/tar
cacache 14.0.0 - 18.0.4
Depends on vulnerable versions of tar
node_modules/make-fetch-happen/node_modules/cacache
make-fetch-happen 7.1.1 - 14.0.0
Depends on vulnerable versions of cacache
node_modules/make-fetch-happen
purescript-installer >=0.2.3
Depends on vulnerable versions of make-fetch-happen
Depends on vulnerable versions of tar
node_modules/purescript-installer
purescript >=0.15.0-alpha-06
Depends on vulnerable versions of purescript-installer
node_modules/purescript

5 high severity vulnerabilities

To address all issues (including breaking changes), run:
npm audit fix --force

Expected result

purescript-installer’s dependency tree should avoid vulnerable versions of tar / cacache (or otherwise provide a remediation path that does not require npm audit fix --force).

Environment

  • OS: [e.g. Ubuntu 24.04 in Docker / ubuntu:latest]

  • Node: 25.3.0

  • npm: 11.6.2

  • purescript package version: purescript@0.15.15

  • purescript-installer version: purescript-installer@0.3.5

Notes / possible direction

It looks like the vulnerabilities are introduced via make-fetch-happen/cacache pulling in tar <= 7.5.3. Would it be possible to bump make-fetch-happen and/or cacache to versions that depend on a patched tar, or otherwise pin/override to a safe range?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions