mirror of
https://github.com/semver/semver.git
synced 2026-07-11 03:53:53 -05:00
[GH-ISSUE #1189] Vulnerability issue with Semantic-release/npm version 13.1.3 #6693
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @Shobha-Bai on GitHub (Jan 30, 2026).
Original GitHub issue: https://github.com/semver/semver/issues/1189
├─┬ @semantic-release/npm@13.1.3
│ └─┬ npm@11.8.0
│ ├─┬ libnpmdiff@8.0.13
│ │ └── tar@7.5.4 deduped
│ ├─┬ node-gyp@12.1.0
│ │ └── tar@7.5.4 deduped
│ ├─┬ pacote@21.0.4
│ │ └── tar@7.5.4 deduped
│ └── tar@7.5.4
└── tar@7.5.7
node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
High
Package: tar
Installed Version: 7.5.4
Vulnerability CVE-2026-24842
Severity: HIGH
Fixed Version: 7.5.7
Link: CVE-2026-24842
Trivy
@JohnTitor commented on GitHub (Feb 1, 2026):
This repo (org) is for the semver spec, not any libraries.