Bump tar-fs from 2.1.2 to 2.1.4 #1045
Conversation
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.2 to 2.1.4. - [Commits](mafintosh/tar-fs@v2.1.2...v2.1.4) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
requested review from
alexcos20,
bogdanfazakas and
mariacarmina
as code owners
|
@dependabot rebase |
alexcos20
left a comment
alexcos20
left a comment
There was a problem hiding this comment.
AI automated code review (Gemini 3).
Overall risk: low
Summary:
This pull request, initiated by Dependabot, updates the tar-fs package from version 2.1.2 to 2.1.4. The changes are exclusively within package-lock.json, reflecting the dependency bump and a cleanup of a transitive string_decoder dependency within rdfxml-streaming-parser. This is a routine dependency maintenance update.
Comments:
• [INFO][other] The tar-fs package has been successfully updated from 2.1.2 to 2.1.4 as intended by the Dependabot PR. The new integrity hash and version are correctly reflected.
• [INFO][other] It's good to see that node_modules/rdfxml-streaming-parser/node_modules/string_decoder and its related entry in the packages section were removed. This likely indicates a consolidation or removal of a redundant transitive dependency, simplifying the dependency graph.
• [INFO][other] As this is an indirect dependency update, it's always a good practice to ensure all automated tests (unit, integration, e2e) pass to confirm no unexpected regressions are introduced by the update, even for minor versions.
|
Looks like tar-fs is up-to-date now, so this is no longer needed. |
alexcos20
left a comment
alexcos20
left a comment
There was a problem hiding this comment.
AI automated code review (Gemini 3).
Overall risk: low
Summary:
This pull request, created by Dependabot, updates the tar-fs dependency from version 2.1.2 to 2.1.4. The changes are exclusively within the package-lock.json file, reflecting the updated dependency and associated transitive dependency resolution.
Comments:
• [INFO][other] This is a routine Dependabot update for a patch version of tar-fs. The changes in package-lock.json are consistent with a minor dependency upgrade. It's generally safe to merge, assuming existing CI/CD pipelines cover dependency stability checks. The removal of string_decoder entries is likely a consequence of dependency resolution optimization following the update.
alexcos20
left a comment
alexcos20
left a comment
There was a problem hiding this comment.
AI automated code review (Gemini 3).
Overall risk: low
Summary:
This pull request updates the tar-fs dependency from version 2.1.2 to 2.1.4. This is an automated dependency update by Dependabot, primarily modifying package-lock.json. This update is important as tar-fs@2.1.3 addressed CVE-2023-46736 (arbitrary file write vulnerability), and tar-fs@2.1.4 addressed CVE-2024-21919, which affects its chownr dependency. The package-lock.json also reflects some cleanup of nested string_decoder dependencies.
Comments:
• [INFO][security] The update of tar-fs from 2.1.2 to 2.1.4 is critical. Version 2.1.3 patched CVE-2023-46736 (arbitrary file write during extraction), and 2.1.4 addressed CVE-2024-21919, a vulnerability in its chownr dependency. This PR significantly improves the security posture regarding tar archive handling.
• [INFO][other] The removal of nested string_decoder entries (e.g., node_modules/rdfxml-streaming-parser/node_modules/string_decoder) indicates an improvement in the dependency tree resolution, likely due to the updated tar-fs or other internal dependency changes allowing for better hoisting/deduplication. This is a positive cleanup.
Bumps tar-fs from 2.1.2 to 2.1.4.
Commits
f421a232.1.4c412fa1refactor to same pattern as v34b7e8682.1.3266194bhardlink tweak from mainYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.