You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Good day,
We received a dependabot alert on our repo due to Lerna's use of tar in @lerna/create & @lerna/legacy-package-management relating to CVE-2024-28863. Would it be possible to update tar to v6.2.1 in Lerna v7 & v8?
Expected Behavior
Lerna should not use the impacted versions of tar.
Steps to Reproduce
npm audit in a project that is using Lerna.
This issue may not be prioritized if details are not provided to help us reproduce the issue.
Failure Logs / Configuration
N/A
Environment
N/A
The text was updated successfully, but these errors were encountered:
There is an automatic PR dealing with this issue.
An "Exceeded timeout of 60000 ms for a hook." was thrown by the CI here.
Not sure whether it is just a glitch with CI agents or if the tar package update broke something.
Current Behavior
Good day,
We received a dependabot alert on our repo due to Lerna's use of
tar
in@lerna/create
&@lerna/legacy-package-management
relating to CVE-2024-28863. Would it be possible to updatetar
to v6.2.1 in Lerna v7 & v8?Expected Behavior
Lerna should not use the impacted versions of
tar
.Steps to Reproduce
npm audit
in a project that is using Lerna.This issue may not be prioritized if details are not provided to help us reproduce the issue.
Failure Logs / Configuration
N/A
Environment
N/A
The text was updated successfully, but these errors were encountered: