From 93ab2f04005cb9c422bfce8d1249b57a2b6ff12b Mon Sep 17 00:00:00 2001 From: Burak Yigit Kaya Date: Wed, 11 Mar 2026 15:11:14 +0000 Subject: [PATCH] fix: update simple-git and tar to address security vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - simple-git: 3.30.0 → 3.33.0 (fixes CVE-2026-28292, CRITICAL CVSS 9.8) RCE via case-insensitive protocol.allow bypass in blockUnsafeOperationsPlugin - tar: 7.5.10 → 7.5.11 (fixes CVE-2026-29786, HIGH CVSS 8.2) Hardlink path traversal via drive-relative linkpath Also dismissed Dependabot alert #119 (@tootallnate/once, LOW severity) as tolerable risk — blocked upstream by teeny-request pinning http-proxy-agent@^5, and the vulnerability requires AbortSignal usage patterns not present in Craft. --- package.json | 4 ++-- pnpm-lock.yaml | 22 +++++++++++----------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/package.json b/package.json index 1bac7a7e..b69b9f80 100644 --- a/package.json +++ b/package.json @@ -60,11 +60,11 @@ "prettier": "^3.4.2", "prompts": "2.4.1", "shell-quote": "1.7.3", - "simple-git": "^3.6.0", + "simple-git": "^3.33.0", "source-map-support": "^0.5.20", "split": "1.0.1", "string-length": "3.1.0", - "tar": "7.5.10", + "tar": "7.5.11", "tmp": "0.2.4", "tslib": "^2.8.1", "typescript": "^5.7.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 82ac9e6e..9b1b7ab6 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -178,8 +178,8 @@ importers: specifier: 1.7.3 version: 1.7.3 simple-git: - specifier: ^3.6.0 - version: 3.30.0 + specifier: ^3.33.0 + version: 3.33.0 source-map-support: specifier: ^0.5.20 version: 0.5.21 @@ -190,8 +190,8 @@ importers: specifier: 3.1.0 version: 3.1.0 tar: - specifier: 7.5.10 - version: 7.5.10 + specifier: 7.5.11 + version: 7.5.11 tmp: specifier: 0.2.4 version: 0.2.4 @@ -2887,8 +2887,8 @@ packages: resolution: {integrity: sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==} engines: {node: '>=14'} - simple-git@3.30.0: - resolution: {integrity: sha512-q6lxyDsCmEal/MEGhP1aVyQ3oxnagGlBDOVSIB4XUVLl1iZh0Pah6ebC9V4xBap/RfgP2WlI8EKs0WS0rMEJHg==} + simple-git@3.33.0: + resolution: {integrity: sha512-D4V/tGC2sjsoNhoMybKyGoE+v8A60hRawKQ1iFRA1zwuDgGZCBJ4ByOzZ5J8joBbi4Oam0qiPH+GhzmSBwbJng==} sisteransi@1.0.5: resolution: {integrity: sha512-bLGGlR1QxBcynn2d5YmDX4MGjlZvy2MRBDRNHLJ8VI6l6+9FUiyTFNJ0IveOSP0bcXgVDPRcfGqA0pjaqUpfVg==} @@ -2967,8 +2967,8 @@ packages: resolution: {integrity: sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==} engines: {node: '>=8'} - tar@7.5.10: - resolution: {integrity: sha512-8mOPs1//5q/rlkNSPcCegA6hiHJYDmSLEI8aMH/CdSQJNWztHC9WHNam5zdQlfpTwB9Xp7IBEsHfV5LKMJGVAw==} + tar@7.5.11: + resolution: {integrity: sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==} engines: {node: '>=18'} teeny-request@9.0.0: @@ -6100,7 +6100,7 @@ snapshots: path-scurry@2.0.1: dependencies: lru-cache: 11.2.2 - minipass: 7.1.2 + minipass: 7.1.3 pathe@2.0.3: {} @@ -6255,7 +6255,7 @@ snapshots: signal-exit@4.1.0: {} - simple-git@3.30.0: + simple-git@3.33.0: dependencies: '@kwsites/file-exists': 1.1.1 '@kwsites/promise-deferred': 1.1.1 @@ -6341,7 +6341,7 @@ snapshots: dependencies: has-flag: 4.0.0 - tar@7.5.10: + tar@7.5.11: dependencies: '@isaacs/fs-minipass': 4.0.1 chownr: 3.0.0