Claude Owner c87a16a683 chore(deps): override transitive tar to ^7.5.15 to clear 5 high CVEs ...

@discordjs/voice → prism-media → @discordjs/opus → @discordjs/node-pre-gyp
pins tar ^6.1.11. All tar <=7.5.10 are vulnerable (GHSA-34x7-hfp2-rc4v,
8qq5-rm4j-mr97, 83g3-92jg-28cx, qffp-2rhf-9h96, 9ppj-qmqm-q256,
r6q2-hw4h-h46w) with no fix available on the v6 line.

Use npm `overrides` to force tar ^7.5.15 across the dep tree. Verified:
- npm install: `found 0 vulnerabilities`
- docker build --no-cache: succeeds; @discordjs/opus prebuilt is still
  extracted correctly by node-pre-gyp with tar v7
- npm run build: clean

2026-05-27 21:09:57 +09:00

1.3 KiB

Raw Permalink Blame History

View Raw