Skip to content

🤖🔵 fix: Resolve open Dependabot vulnerabilities for tar and lodash#21

Merged
dmattia merged 2 commits intomainfrom
dmattia/fix-dependabot-vulnerabilities
Feb 18, 2026
Merged

🤖🔵 fix: Resolve open Dependabot vulnerabilities for tar and lodash#21
dmattia merged 2 commits intomainfrom
dmattia/fix-dependabot-vulnerabilities

Conversation

@dmattia
Copy link
Copy Markdown
Member

@dmattia dmattia commented Feb 18, 2026

Summary

  • Remove @yarnpkg/pnpify and @yarnpkg/sdks dev dependencies — eliminates the @yarnpkg/coretar@^6 transitive dependency chain. Yarn Berry's PnP runtime handles tool resolution natively, making the pnpify wrapper unnecessary. The sdks command is still available via yarn dlx @yarnpkg/sdks when needed.
  • Upgrade mocha from v10 to v11 — moves to chokidar v4 which dropped fsevents, eliminating the fseventsnode-gyptar@^6 chain.
  • Update lodash from 4.17.21 to 4.17.23 in the lockfile (patched version within existing semver range).

Net result: 118 transitive packages removed, tar eliminated from the dependency tree entirely.

Vulnerabilities Fixed

Alert Severity Package CVE Resolution
#58 High tar CVE-2026-26960 Removed from dep tree
#53 High tar CVE-2026-24842 Removed from dep tree
#51 High tar CVE-2026-23950 Removed from dep tree
#48 High tar CVE-2026-23745 Removed from dep tree
#52 Medium lodash CVE-2025-13465 Updated to 4.17.23

Changes

package.json

  • Removed @yarnpkg/pnpify and @yarnpkg/sdks from devDependencies
  • Updated mocha from ^10.2.0 to ^11.0.0
  • Updated scripts to run tsc, eslint, mocha directly instead of via yarn pnpify
  • Changed update:sdks script to use yarn dlx @yarnpkg/sdks

yarn.lock / .yarn/cache

  • 118 packages removed, 10 added
  • tar@6.2.1 fully eliminated
  • lodash bumped to 4.17.23

Test plan

  • yarn install succeeds
  • yarn build compiles cleanly
  • yarn test — all 11 tests pass
  • yarn lint passes
  • yarn why tar returns empty (no tar in dependency tree)
  • yarn why lodash shows 4.17.23

Made with Cursor

dmattia and others added 2 commits February 18, 2026 18:59
@dmattia @cursoragent
🤖🔵 fix: Resolve open Dependabot vulnerabilities for tar and lodash
c35a723 
Remove @yarnpkg/pnpify and @yarnpkg/sdks — Yarn Berry's PnP runtime
handles tool resolution natively, making the pnpify wrapper unnecessary.
The sdks command is still available via `yarn dlx` when needed.

Upgrade mocha from v10 to v11, which moves to chokidar v4 (drops
fsevents → node-gyp → tar@6 chain entirely).

Update lodash from 4.17.21 to 4.17.23 in the lockfile.

These changes eliminate tar from the dependency tree entirely and
resolve all 5 open Dependabot alerts:
- tar: CVE-2026-26960, CVE-2026-24842, CVE-2026-23950, CVE-2026-23745
- lodash: CVE-2025-13465

Co-authored-by: Cursor <cursoragent@cursor.com>
@dmattia @cursoragent
fix: Update pre-commit-hooks to v5.0.0 for Python 3.14 compatibility
b1e87c4 
The check-executables-have-shebangs hook at v2.5.0 imports the `pipes`
module which was removed in Python 3.14, causing CI failures.

Co-authored-by: Cursor <cursoragent@cursor.com>
@dmattia dmattia force-pushed the dmattia/fix-dependabot-vulnerabilities branch from db178fb to b1e87c4 Compare February 18, 2026 20:27
@dmattia dmattia merged commit 8dbfa53 into main Feb 18, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelfarrell76 michaelfarrell76 michaelfarrell76 approved these changes

@dipack95 dipack95 Awaiting requested review from dipack95

@anotherminh anotherminh Awaiting requested review from anotherminh

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmattia @michaelfarrell76