Skip to content

Commit 753b230

Browse files
claudeclaude
committed
fix: upgrade tar to 7.5.10 to patch CVE-2026-29786
Add pnpm override to force tar@>=7.5.10 across all transitive dependencies. The vulnerability (GHSA-qffp-2rhf-9h96) allows hardlink path traversal via drive-relative linkpaths (e.g. C:../target.txt), enabling arbitrary file overwrite outside the extraction directory. [email protected] was pulled in transitively via mintlify -> @mintlify/previewing. https://claude.ai/code/session_01LpHvg7gvwzGesRa3h5PFh6
1 parent af5a52a commit 753b230

2 files changed

Lines changed: 36 additions & 55 deletions

File tree

pnpm-lock.yaml

Lines changed: 33 additions & 55 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,9 @@ overrides:
22
# Fix CVE-2024-45296 / GHSA-9wv6-86v2-598j: path-to-regexp ReDoS vulnerability
33
# Transitive via mintlify -> @mintlify/previewing -> [email protected]
44
"path-to-regexp@<0.1.10": "0.1.10"
5+
# Fix CVE-2026-29786 / GHSA-qffp-2rhf-9h96: tar hardlink path traversal via drive-relative linkpath
6+
# Transitive via mintlify -> @mintlify/previewing
7+
"tar@<7.5.10": "7.5.10"
58

69
packages:
710
- apps/agentstack-ui

0 commit comments

Comments
 (0)