From 029c65da7986ebaedf389957a38f3ed95bb13a42 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 14 Jun 2026 12:19:52 +0000 Subject: [PATCH 1/2] Update tar to 7.5.11+ to fix Dependabot alert tar@6.2.1 was pulled in transitively via npm-check-updates' toolchain (cacache, node-gyp, pacote). Add a pnpm override forcing tar >=7.5.11 to resolve the security advisory. Now resolves to tar@7.5.16. https://claude.ai/code/session_01NPQ9AiNNnapeoTQFAR1ShY --- package.json | 5 +++++ pnpm-lock.yaml | 59 +++++++++++++++++++++++++++++++++++++------------- 2 files changed, 49 insertions(+), 15 deletions(-) diff --git a/package.json b/package.json index 7666c0d..d743ef2 100644 --- a/package.json +++ b/package.json @@ -10,5 +10,10 @@ "dependencies": { "@tailwindcss/cli": "^4.1.18", "flowbite": "^4.0.1" + }, + "pnpm": { + "overrides": { + "tar": "^7.5.11" + } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 803e331..d4768e7 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + tar: ^7.5.11 + importers: .: @@ -55,6 +58,10 @@ packages: resolution: {integrity: sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==} engines: {node: '>=12'} + '@isaacs/fs-minipass@4.0.1': + resolution: {integrity: sha512-wgm9Ehl2jpeqP3zw/7mo3kRHFp5MEDhqAdwy1fTGkHAwnkGOVsgpvQhL8B5n1qlb01jV3n/bI0ZfZp5lWA1k4w==} + engines: {node: '>=18.0.0'} + '@jridgewell/gen-mapping@0.3.13': resolution: {integrity: sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==} @@ -497,6 +504,10 @@ packages: resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} engines: {node: '>=10'} + chownr@3.0.0: + resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} + engines: {node: '>=18'} + ci-info@3.9.0: resolution: {integrity: sha512-NIxF55hv4nSqQswkAeiOi1r83xy8JldOFDTWiug55KBu9Jnblncd2U6ViHmYgHf01TPZS77NJBhBMKdWj9HQMQ==} engines: {node: '>=8'} @@ -1124,6 +1135,10 @@ packages: resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} engines: {node: '>= 8'} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} + engines: {node: '>= 18'} + mkdirp@1.0.4: resolution: {integrity: sha512-vVqVZQyf3WLx2Shd0qJ9xuvqgAyKPLAiqITEtqW0oIUjzo3PePDd6fW9iFz30ef7Ysp/oiWqbhszeGWW2T6Gzw==} engines: {node: '>=10'} @@ -1543,10 +1558,9 @@ packages: resolution: {integrity: sha512-uxc/zpqFg6x7C8vOE7lh6Lbda8eEL9zmVm/PLeTPBRhh1xCgdWaQ+J1CUieGpIfm2HdtsUpRv+HshiasBMcc6A==} engines: {node: '>=6'} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} - deprecated: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me + tar@7.5.16: + resolution: {integrity: sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==} + engines: {node: '>=18'} to-regex-range@5.0.1: resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==} @@ -1659,6 +1673,10 @@ packages: yallist@4.0.0: resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==} + yallist@5.0.0: + resolution: {integrity: sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw==} + engines: {node: '>=18'} + yargs-parser@21.1.1: resolution: {integrity: sha512-tVpsJW7DdjecAiFpbIB1e3qxIQsE6NoPc5/eTdrbbIC4h0LVsWhnoa3g+m2HclBIujHzsxZ4VJVA+GUuc2/LBw==} engines: {node: '>=12'} @@ -1691,6 +1709,10 @@ snapshots: wrap-ansi: 8.1.0 wrap-ansi-cjs: wrap-ansi@7.0.0 + '@isaacs/fs-minipass@4.0.1': + dependencies: + minipass: 7.1.3 + '@jridgewell/gen-mapping@0.3.13': dependencies: '@jridgewell/sourcemap-codec': 1.5.5 @@ -2083,7 +2105,7 @@ snapshots: promise-inflight: 1.0.1 rimraf: 3.0.2 ssri: 9.0.1 - tar: 6.2.1 + tar: 7.5.16 unique-filename: 2.0.1 transitivePeerDependencies: - bluebird @@ -2100,7 +2122,7 @@ snapshots: minipass-pipeline: 1.2.4 p-map: 4.0.0 ssri: 10.0.6 - tar: 6.2.1 + tar: 7.5.16 unique-filename: 3.0.0 cacheable-lookup@7.0.0: {} @@ -2126,6 +2148,8 @@ snapshots: chownr@2.0.0: {} + chownr@3.0.0: {} + ci-info@3.9.0: {} clean-stack@2.2.0: {} @@ -2733,6 +2757,10 @@ snapshots: minipass: 3.3.6 yallist: 4.0.0 + minizlib@3.1.0: + dependencies: + minipass: 7.1.3 + mkdirp@1.0.4: {} mri@1.2.0: {} @@ -2756,7 +2784,7 @@ snapshots: npmlog: 6.0.2 rimraf: 3.0.2 semver: 7.8.2 - tar: 6.2.1 + tar: 7.5.16 which: 2.0.2 transitivePeerDependencies: - bluebird @@ -2907,7 +2935,7 @@ snapshots: read-package-json-fast: 3.0.2 sigstore: 1.9.0 ssri: 10.0.6 - tar: 6.2.1 + tar: 7.5.16 transitivePeerDependencies: - bluebird - supports-color @@ -3188,14 +3216,13 @@ snapshots: tapable@2.3.3: {} - tar@6.2.1: + tar@7.5.16: dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 + '@isaacs/fs-minipass': 4.0.1 + chownr: 3.0.0 + minipass: 7.1.3 + minizlib: 3.1.0 + yallist: 5.0.0 to-regex-range@5.0.1: dependencies: @@ -3314,6 +3341,8 @@ snapshots: yallist@4.0.0: {} + yallist@5.0.0: {} + yargs-parser@21.1.1: {} yargs@17.7.2: From d9a883569608fdfcfd8d0787f38de71538f9d842 Mon Sep 17 00:00:00 2001 From: Claude Date: Sun, 14 Jun 2026 12:22:22 +0000 Subject: [PATCH 2/2] Move tar override to pnpm-workspace.yaml pnpm v11 (installed in CI via `npm install -g pnpm`) no longer reads the `pnpm.overrides` field from package.json, which caused ERR_PNPM_LOCKFILE_CONFIG_MISMATCH during the frozen install. Move the override to pnpm-workspace.yaml, the new home for the setting, so CI's pnpm reads it and matches the lockfile. https://claude.ai/code/session_01NPQ9AiNNnapeoTQFAR1ShY --- package.json | 5 ----- pnpm-workspace.yaml | 2 ++ 2 files changed, 2 insertions(+), 5 deletions(-) create mode 100644 pnpm-workspace.yaml diff --git a/package.json b/package.json index d743ef2..7666c0d 100644 --- a/package.json +++ b/package.json @@ -10,10 +10,5 @@ "dependencies": { "@tailwindcss/cli": "^4.1.18", "flowbite": "^4.0.1" - }, - "pnpm": { - "overrides": { - "tar": "^7.5.11" - } } } diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml new file mode 100644 index 0000000..9a82d5c --- /dev/null +++ b/pnpm-workspace.yaml @@ -0,0 +1,2 @@ +overrides: + tar: ^7.5.11