tkrmagid/tts_bot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(deps): override transitive tar to ^7.5.15 to clear 5 high CVEs

Browse Source 
@discordjs/voice → prism-media → @discordjs/opus → @discordjs/node-pre-gyp
pins tar ^6.1.11. All tar <=7.5.10 are vulnerable (GHSA-34x7-hfp2-rc4v,
8qq5-rm4j-mr97, 83g3-92jg-28cx, qffp-2rhf-9h96, 9ppj-qmqm-q256,
r6q2-hw4h-h46w) with no fix available on the v6 line.

Use npm `overrides` to force tar ^7.5.15 across the dep tree. Verified:
- npm install: `found 0 vulnerabilities`
- docker build --no-cache: succeeds; @discordjs/opus prebuilt is still
  extracted correctly by node-pre-gyp with tar v7
- npm run build: clean
This commit is contained in:
Claude Owner
2026-05-27 21:09:57 +09:00
parent 9eed231244
commit c87a16a683
1 changed files with 3 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
package.json
View File

@@ -41,5 +41,8 @@
"dotenv": "^17.2.3", "dotenv": "^17.2.3",
"fluent-ffmpeg": "^2.1.3", "fluent-ffmpeg": "^2.1.3",
"ws": "^8.18.3" "ws": "^8.18.3"
},
"overrides": {
"tar": "^7.5.15"
} }
} }