chore(deps): override transitive tar to ^7.5.15 to clear 5 high CVEs
@discordjs/voice → prism-media → @discordjs/opus → @discordjs/node-pre-gyp pins tar ^6.1.11. All tar <=7.5.10 are vulnerable (GHSA-34x7-hfp2-rc4v, 8qq5-rm4j-mr97, 83g3-92jg-28cx, qffp-2rhf-9h96, 9ppj-qmqm-q256, r6q2-hw4h-h46w) with no fix available on the v6 line. Use npm `overrides` to force tar ^7.5.15 across the dep tree. Verified: - npm install: `found 0 vulnerabilities` - docker build --no-cache: succeeds; @discordjs/opus prebuilt is still extracted correctly by node-pre-gyp with tar v7 - npm run build: clean
This commit is contained in:
Claude Owner
@@ -41,5 +41,8 @@
|
||||
"dotenv": "^17.2.3",
|
||||
"fluent-ffmpeg": "^2.1.3",
|
||||
"ws": "^8.18.3"
|
||||
},
|
||||
"overrides": {
|
||||
"tar": "^7.5.15"
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user