Skip to content

Updated tar and node-gyp versions to the higher versions #1853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
igeto wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updated tar and node-gyp versions to the higher versions #1853

igeto wants to merge 1 commit into from

Conversation

@igeto
Copy link

@igeto igeto commented Feb 4, 2026
edited by cursor bot
Loading

Summary

  • Bump tar from ^6.1.11 to ^6.2.1 to address CVE-2024-28863
  • Bump node-gyp from 8.x to 10.x in peer and optional dependencies

Security Fix

This PR addresses CVE-2024-28863, a denial of service vulnerability in node-tar with a CVSS 3.1 score of 6.5 (Medium).

The vulnerability allows an attacker to craft a malicious tar archive with excessively deep folder hierarchies. When extracted, this can cause uncontrolled resource consumption leading to memory exhaustion and Node.js
process crashes.

Reference: https://nvd.nist.gov/vuln/detail/cve-2024-28863

The fix is included in tar v6.2.1, which prevents extraction in excessively deep subdirectories.

Compatibility

Both updated dependencies maintain compatibility with Node.js 16 and later:

  • tar@^6.2.1 supports Node.js 14+
  • node-gyp@10.x supports Node.js 16+

Note

Low Risk
Dependency-only change; main risk is build/install compatibility on environments that still rely on older node-gyp, but no runtime code paths change.

Overview
Updates dependency versions in package.json: bumps tar to ^6.2.1 and raises node-gyp from 8.x to 10.x for both peerDependencies and optionalDependencies (impacting the build toolchain used for native rebuilds).

Written by Cursor Bugbot for commit 6fef12f. This will update automatically on new commits. Configure here.

@coderabbitai
Copy link

coderabbitai bot commented Feb 4, 2026
edited
Loading

Walkthrough

This pull request updates dependency versions in package.json. The tar dependency is upgraded from ^6.1.11 to ^6.2.1. Additionally, node-gyp is upgraded from 8.x to 10.x in both the peerDependencies and optionalDependencies sections. The changes consist of three version declarations across these dependency fields with no functional or structural modifications to the project.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: updating tar and node-gyp versions to higher versions, matching the core changeset.
Description check ✅ Passed The description is comprehensive and directly related to the changeset, providing security context, compatibility notes, and detailed rationale for the updates.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@igeto