Skip to content

fix(deps): override tmp and tar-fs to patched versions #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 3, 2025
Merged

fix(deps): override tmp and tar-fs to patched versions #79

merged 1 commit into from
Oct 3, 2025

Conversation

mridang
Copy link
Collaborator

@mridang mridang commented Oct 3, 2025
edited
Loading

Description

Added npm overrides to enforce patched versions of dependencies:

  • tmp bumped to ^0.2.4
  • tar-fs pinned to 3.1.0 to remediate CVE-2025-59343 (symlink validation bypass)

This ensures our lockfile pulls in safe versions and clears active Dependabot alerts.

Related Issue

Fixes Dependabot alert for CVE-2025-59343 in tar-fs.
Resolves security warnings flagged in #7.

Motivation and Context

tar-fs versions <3.1.1 and <2.1.4 are vulnerable to a symlink validation bypass.
Since dockerode and testcontainers still transitively depend on older versions,
explicit overrides are required to ensure patched versions are used.

Updating tmp to ^0.2.4 also addresses related security notices.

How Has This Been Tested?

  • Ran npm install after overrides to confirm patched versions resolved in npm ls.
  • Verified that both tar-fs (3.1.0) and tmp (^0.2.4) appear in dependency tree.
  • Confirmed no regressions in local test suite (npm test).

Documentation:

No documentation updates required since this is an internal dependency override.

Checklist:

  • I have updated the documentation accordingly. (N/A – no docs required)
  • I have assigned the correct milestone or created one if non-existent.
  • I have correctly labeled this pull request.
  • I have linked the corresponding issue in this description.
  • I have requested a review from at least 2 reviewers.
  • I have checked the base branch of this pull request.
  • I have checked my code for any possible security vulnerabilities.

@mridang
fix(deps): override tmp and tar-fs to patched versions
4e0c22b 
- Added override for `tmp` to ^0.2.4
- Forced `tar-fs` to 3.1.0 to address CVE-2025-59343 (symlink validation bypass)
- Ensures Dependabot alerts are resolved by pinning safe versions
@mridang mridang self-assigned this Oct 3, 2025
@mridang mridang added the dependencies Pull requests that update a dependency file label Oct 3, 2025
@mridang mridang merged commit 339bbed into beta Oct 3, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@mridang mridang

Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mridang