[GH-ISSUE #1189] Vulnerability issue with Semantic-release/npm version 13.1.3 #7677

Closed
opened 2026-06-20 17:46:10 -05:00 by GiteaMirror · 1 comment
Owner

Originally created by @Shobha-Bai on GitHub (Jan 30, 2026).
Original GitHub issue: https://github.com/semver/semver/issues/1189

├─┬ @semantic-release/npm@13.1.3
│ └─┬ npm@11.8.0
│ ├─┬ libnpmdiff@8.0.13
│ │ └── tar@7.5.4 deduped
│ ├─┬ node-gyp@12.1.0
│ │ └── tar@7.5.4 deduped
│ ├─┬ pacote@21.0.4
│ │ └── tar@7.5.4 deduped
│ └── tar@7.5.4
└── tar@7.5.7

node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check
High
Package: tar
Installed Version: 7.5.4
Vulnerability CVE-2026-24842
Severity: HIGH
Fixed Version: 7.5.7
Link: CVE-2026-24842
Trivy

Originally created by @Shobha-Bai on GitHub (Jan 30, 2026). Original GitHub issue: https://github.com/semver/semver/issues/1189 ├─┬ @semantic-release/npm@13.1.3 │ └─┬ npm@11.8.0 │ ├─┬ libnpmdiff@8.0.13 │ │ └── tar@7.5.4 deduped │ ├─┬ node-gyp@12.1.0 │ │ └── tar@7.5.4 deduped │ ├─┬ pacote@21.0.4 │ │ └── tar@7.5.4 deduped │ └── tar@7.5.4 └── tar@7.5.7 node-tar: tar: node-tar: Arbitrary file creation via path traversal bypass in hardlink security check High Package: tar Installed Version: 7.5.4 Vulnerability CVE-2026-24842 Severity: HIGH Fixed Version: 7.5.7 Link: CVE-2026-24842 Trivy
Author
Owner

@JohnTitor commented on GitHub (Feb 1, 2026):

This repo (org) is for the semver spec, not any libraries.

<!-- gh-comment-id:3830049748 --> @JohnTitor commented on GitHub (Feb 1, 2026): This repo (org) is for the semver spec, not any libraries.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/semver#7677