From c87a16a683f1024cbe7d4bffac662fcbdb664ffc Mon Sep 17 00:00:00 2001
From: Claude Owner <claude@ejclaw.local>
Date: Wed, 27 May 2026 21:09:57 +0900
Subject: [PATCH] chore(deps): override transitive tar to ^7.5.15 to clear 5
 high CVEs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

@discordjs/voice → prism-media → @discordjs/opus → @discordjs/node-pre-gyp
pins tar ^6.1.11. All tar <=7.5.10 are vulnerable (GHSA-34x7-hfp2-rc4v,
8qq5-rm4j-mr97, 83g3-92jg-28cx, qffp-2rhf-9h96, 9ppj-qmqm-q256,
r6q2-hw4h-h46w) with no fix available on the v6 line.

Use npm `overrides` to force tar ^7.5.15 across the dep tree. Verified:
- npm install: `found 0 vulnerabilities`
- docker build --no-cache: succeeds; @discordjs/opus prebuilt is still
  extracted correctly by node-pre-gyp with tar v7
- npm run build: clean
---
 package.json | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/package.json b/package.json
index c123cb7..35e1b95 100644
--- a/package.json
+++ b/package.json
@@ -41,5 +41,8 @@
     "dotenv": "^17.2.3",
     "fluent-ffmpeg": "^2.1.3",
     "ws": "^8.18.3"
+  },
+  "overrides": {
+    "tar": "^7.5.15"
   }
 }