Partially address tar vulnerabilities#9700
Merged
tobias-jarvelov merged 3 commits intomainfrom Jan 27, 2026
Merged
Conversation
tobias-jarvelov
requested review from
Rawa,
albin-mullvad,
faern,
pinkisemils and
raksooo
as code owners
tobias-jarvelov
force-pushed
the
partially-address-tar-vuln
branch
from
5edde86 to
c03cdc8
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
tobias-jarvelov
force-pushed
the
partially-address-tar-vuln
branch
from
c03cdc8 to
33c936e
Compare
faern
approved these changes
Jan 27, 2026
Member
faern
left a comment
faern
left a comment
There was a problem hiding this comment.
@faern reviewed 3 files and all commit messages.
Reviewable status:complete! all files reviewed, all discussions resolved.
We have investigated the uses of the tar dependency and found two use cases of it in our code base's supply chain: - electron-builder - grpc-tools (from their use of @mapbox-node-pre-gyp) Currently the tar dependency update has not traversed all through the supply chain in the packages we depend on. electron-builder and their supply chain was very fast to bump the dependency, but it seems like @mapbox/node-pre-gyp do not currently have an update available, currently. A draft PR does exist though. When this has been patched we should update immediately. --- Extended reasoning on ignoring the vulnerable dependency: The vulnerable tar dependency does not handle arbitrary tar files, as it is only used by grpc-tools. Unless the specific tar file, corresponding to the version of grpc-tools we depend on, is compromised then an attack is not possible. The tar file is hosted on Github's package repository and for an attack to be possibe either the grpc-tools team or Github's package repostitory must be compromised, which currently seems unlikely. However, even if unlikely we still want to ensure that we can protect against this attack and if a patch hasn't been made available at the end of this ignore period we will want to investigate other forms of mitigation.
tobias-jarvelov
force-pushed
the
partially-address-tar-vuln
branch
from
33c936e to
432b56c
Compare
tobias-jarvelov
added a commit
that referenced
this pull request
Mar 4, 2026
See justification in the original PR: #9700
Merged
tobias-jarvelov
added a commit
that referenced
this pull request
Mar 4, 2026
See justification in the original PR: #9700
tobias-jarvelov
added a commit
that referenced
this pull request
Mar 11, 2026
See justification in the original PR: #9700
tobias-jarvelov
added a commit
that referenced
this pull request
Mar 13, 2026
See justification in the original PR: #9700
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ignore tar CVEs for about 1 week
We have investigated the uses of the tar dependency and found two uses of it in our code base's supply chain:
Currently the tar dependency update has not traversed all through the supply chain in the packages we depend on. electron-builder and their supply chain was very fast to bump the dependency, but it seems like @mapbox/node-pre-gyp do not currently have an update available, currently. A draft PR does exist though.
Link to draft PR for @mapbox/node-pre-gyp tar upgrade:
mapbox/node-pre-gyp#933
When this has been patched we should update immediately.
Extended reasoning on ignoring the vulnerable dependency:
The vulnerable tar dependency does not handle arbitrary tar files, as it is only used by grpc-tools to download a specific file. Unless the specific tar file, corresponding to the version of grpc-tools we depend on, is compromised then an attack is not possible.
The tar file is hosted on Github's package repository and for an attack to be possibe either the grpc-tools team or Github's package repostitory must be compromised, which currently seems unlikely.
However, even if unlikely we still want to ensure that we can protect against this attack and if a patch hasn't been made available at the end of this ignore period we will want to investigate other forms of mitigation.
This change is