Fix tar-fs CVE by overriding to 3.1.1#2150
Conversation
Update tar-fs override from 3.0.7 to 3.1.1 in package.json to address additional CVE requiring at least version 3.1.1.
DrewScoggins
force-pushed
the
fix/tar-fs-cve
branch
from
29e8659 to
2646630
Compare
There was a problem hiding this comment.
Pull request overview
Updates the Lighthouse benchmark app’s Node dependency graph to mitigate a known tar-fs path traversal vulnerability coming in transitively via puppeteer / @puppeteer/browsers.
Changes:
- Add an npm
overridesentry to forcetar-fsto a non-vulnerable version. - Regenerate
package-lock.json, including upgrading it tolockfileVersion: 3.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
src/BenchmarksApps/Lighthouse/package.json |
Adds a tar-fs override alongside the existing cookie override. |
src/BenchmarksApps/Lighthouse/package-lock.json |
Updates the resolved dependency tree and switches the lockfile to v3 format. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "version": "1.0.0", | ||
| "lockfileVersion": 1, | ||
| "lockfileVersion": 3, | ||
| "requires": true, | ||
| "dependencies": { | ||
| "@babel/code-frame": { | ||
| "packages": { |
There was a problem hiding this comment.
This updates the lockfile format to lockfileVersion 3. That format requires npm versions that understand v3 lockfiles; otherwise npm ci will fail. Please ensure the Lighthouse Docker build environment uses npm 9+ (or pin/upgrade npm in the Dockerfile), or keep the lockfile at the version supported by the repo’s build tooling.
|
Note I don't think the benchmark has run in more than a year /cc @MackinnonBuck |
LoopedBard3
changed the title
3 participants
Add tar-fs 3.1.1 override in package.json to address path traversal vulnerability (CVE) in tar-fs < 3.1.1, a transitive dependency via puppeteer/@puppeteer/browsers.