Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2024-28863 - Lerna using a vulnerable version of tar #3989

Open
jimblanc opened this issue Apr 10, 2024 · 2 comments
Open

CVE-2024-28863 - Lerna using a vulnerable version of tar #3989

jimblanc opened this issue Apr 10, 2024 · 2 comments
Labels
type: bug

Comments

@jimblanc
Copy link

Current Behavior

Good day,
We received a dependabot alert on our repo due to Lerna's use of tar in @lerna/create & @lerna/legacy-package-management relating to CVE-2024-28863. Would it be possible to update tar to v6.2.1 in Lerna v7 & v8?

Expected Behavior

Lerna should not use the impacted versions of tar.

Steps to Reproduce

npm audit in a project that is using Lerna.

This issue may not be prioritized if details are not provided to help us reproduce the issue.

Failure Logs / Configuration

N/A

Environment

N/A
@alexsaker
Copy link

There is an automatic PR dealing with this issue.
An "Exceeded timeout of 60000 ms for a hook." was thrown by the CI here.
Not sure whether it is just a glitch with CI agents or if the tar package update broke something.

@sergeyklay
Copy link

@JamesHenry Could you please take a look

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jimblanc @sergeyklay @alexsaker