aws-cdk: CVE-2026-23745 #36742
Description
Describe the bug
CVE-2026-23745 is a bug in node-tar <= 7.5.2.
aws-cdk pulls this in indirectly and because of the long dependency chain it's not possible for us to update the underlying dependency directly:
$ yarn why -R tar
│ └─ aws-cdk@npm:2.1101.0 (via npm:2.1101.0)
│ └─ fsevents@patch:fsevents@npm%3A2.3.2#optional!builtin<compat/fsevents>::version=2.3.2&hash=df0bf1 (via patch:fsevents@npm%3A2.3.2#optional!builtin<compat/fsevents>)
│ └─ node-gyp@npm:10.2.0 (via npm:latest)
│ ├─ make-fetch-happen@npm:13.0.1 (via npm:^13.0.0)
│ │ └─ cacache@npm:18.0.4 (via npm:^18.0.0)
│ │ └─ tar@npm:6.2.1 (via npm:^6.1.11)
│ └─ tar@npm:6.2.1 (via npm:^6.2.1)
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Library Version
No response
Expected Behavior
n/a
Current Behavior
n/a
Reproduction Steps
n/a
Possible Solution
No response
Additional Information/Context
No response
AWS CDK Library version (aws-cdk-lib)
2.235.1
AWS CDK CLI version
2.1101.0
Node.js Version
v22.11.0
OS
macos
Language
TypeScript
Language Version
No response
Other information
No response