Skip to content

WEB-4345 - Resolve Vanta vulnerability for tar#635

Open
henry-tp wants to merge 3 commits into
developfrom
WEB-4345-vanta
Open

WEB-4345 - Resolve Vanta vulnerability for tar#635
henry-tp wants to merge 3 commits into
developfrom
WEB-4345-vanta

Conversation

@henry-tp

@henry-tp henry-tp commented May 12, 2026

Copy link
Copy Markdown
Contributor

@henry-tp
henry-tp requested a review from krystophv May 14, 2026 22:58

@krystophv krystophv left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did we look into what the version bumps for our direct dependencies would look like to get tar up to spec?

Comment thread package.json
"prismjs": "1.29.0",
"socks": "^2.7.3"
"socks": "^2.7.3",
"tar": "^7.5.7"

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My preference would be to use yarn why tar to investigate what it would take for our more direct dependencies to be updated to versions that meet the transitive tar version requirement instead of relying on an ever-growing list of resolutions. At a minimum, though, we should be pinning the resolutions versions to exact versions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants