Skip to content

chore(deps): upgrade tar to 7.5.9 to fix CVE-2026-26960#19445

Merged
Lms24 merged 1 commit intodevelopfrom
feat/fix-tar-cve-2026-26960
Feb 20, 2026
Merged

chore(deps): upgrade tar to 7.5.9 to fix CVE-2026-26960#19445
Lms24 merged 1 commit intodevelopfrom
feat/fix-tar-cve-2026-26960

Conversation

@Lms24
Copy link
Member

@Lms24 Lms24 commented Feb 19, 2026

Summary

  • Bumps @mapbox/node-pre-gyp from 2.0.0 to 2.0.3 (transitive dep via @sentry/aws-serverless@vercel/nft)
  • This resolves tar from 7.5.7 to 7.5.9, patching GHSA-83g3-92jg-28cx / CVE-2026-26960
  • No package.json changes — existing version ranges already permitted the newer versions; only yarn.lock was updated

Vulnerability

CVE-2026-26960 (High, CVSS 7.1) — Arbitrary file read/write via hardlink target escape through symlink chain in tar.extract(). An attacker-controlled archive can create a hardlink inside the extraction directory pointing to a file outside the extraction root using default options.

Affected: tar < 7.5.8 | Patched: tar >= 7.5.8

Dependency chain

@sentry/aws-serverless
  → @vercel/nft
    → @mapbox/node-pre-gyp 2.0.0 → 2.0.3
      → tar 7.5.7 → 7.5.9

Fixes https://github.com/getsentry/sentry-javascript/security/dependabot/1063

Made with Cursor

@Lms24 @cursoragent
fix(deps): upgrade tar to 7.5.9 to fix CVE-2026-26960
4418f1b 
Bumps `@mapbox/node-pre-gyp` from 2.0.0 to 2.0.3, which resolves
`tar` from 7.5.7 to 7.5.9, patching the arbitrary file read/write
vulnerability (GHSA-83g3-92jg-28cx / CVE-2026-26960).

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions
Copy link
Contributor

github-actions bot commented Feb 19, 2026

size-limit report 📦

⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Path Size % Change Change
@sentry/browser 25.61 kB - -
@sentry/browser - with treeshaking flags 24.12 kB - -
@sentry/browser (incl. Tracing) 42.42 kB - -
@sentry/browser (incl. Tracing, Profiling) 47.08 kB - -
@sentry/browser (incl. Tracing, Replay) 81.24 kB - -
@sentry/browser (incl. Tracing, Replay) - with treeshaking flags 70.86 kB - -
@sentry/browser (incl. Tracing, Replay with Canvas) 85.93 kB - -
@sentry/browser (incl. Tracing, Replay, Feedback) 98.09 kB - -
@sentry/browser (incl. Feedback) 42.33 kB - -
@sentry/browser (incl. sendFeedback) 30.28 kB - -
@sentry/browser (incl. FeedbackAsync) 35.28 kB - -
@sentry/browser (incl. Metrics) 26.78 kB - -
@sentry/browser (incl. Logs) 26.92 kB - -
@sentry/browser (incl. Metrics & Logs) 27.6 kB - -
@sentry/react 27.37 kB - -
@sentry/react (incl. Tracing) 44.76 kB - -
@sentry/vue 30.06 kB - -
@sentry/vue (incl. Tracing) 44.26 kB - -
@sentry/svelte 25.64 kB - -
CDN Bundle 28.16 kB - -
CDN Bundle (incl. Tracing) 43.25 kB - -
CDN Bundle (incl. Logs, Metrics) 29 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) 44.09 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) 68.08 kB - -
CDN Bundle (incl. Tracing, Replay) 80.12 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) 80.99 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) 85.56 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) 86.46 kB - -
CDN Bundle - uncompressed 82.33 kB - -
CDN Bundle (incl. Tracing) - uncompressed 128.05 kB - -
CDN Bundle (incl. Logs, Metrics) - uncompressed 85.17 kB - -
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed 130.88 kB - -
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed 208.83 kB - -
CDN Bundle (incl. Tracing, Replay) - uncompressed 244.93 kB - -
CDN Bundle (incl. Tracing, Replay, Logs, Metrics) - uncompressed 247.75 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback) - uncompressed 257.73 kB - -
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics) - uncompressed 260.54 kB - -
@sentry/nextjs (client) 47.17 kB - -
@sentry/sveltekit (client) 42.88 kB - -
@sentry/node-core 52.18 kB +0.02% +9 B 🔺
@sentry/node 166.54 kB +0.01% +7 B 🔺
@sentry/node - without tracing 93.97 kB +0.02% +10 B 🔺
@sentry/aws-serverless 109.47 kB +0.01% +8 B 🔺

View base workflow run

@github-actions
Copy link
Contributor

github-actions bot commented Feb 19, 2026

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
⚠️ Warning: Base artifact is not the latest one, because the latest workflow run is not done yet. This may lead to incorrect results. Try to re-run all tests to get up to date results.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 9,212 - 11,244 -18%
GET With Sentry 1,701 18% 1,864 -9%
GET With Sentry (error only) 6,101 66% 7,507 -19%
POST Baseline 1,208 - 1,166 +4%
POST With Sentry 590 49% 585 +1%
POST With Sentry (error only) 977 81% 1,033 -5%
MYSQL Baseline 3,363 - 3,908 -14%
MYSQL With Sentry 524 16% 539 -3%
MYSQL With Sentry (error only) 2,744 82% 3,298 -17%

View base workflow run

@Lms24 Lms24 merged commit 98cb3f6 into develop Feb 20, 2026
225 of 226 checks passed
@Lms24 Lms24 deleted the feat/fix-tar-cve-2026-26960 branch February 20, 2026 08:51
@Lms24 Lms24 changed the title fix(deps): upgrade tar to 7.5.9 to fix CVE-2026-26960 chore(deps): upgrade tar to 7.5.9 to fix CVE-2026-26960 Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicohrubec nicohrubec nicohrubec approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Lms24 @nicohrubec

Comments