CVE-2026-24842 - dependency update request for node-tar

[hanurii]

GHSA-34x7-hfp2-rc4v

node-tar is currentyl 7.5.4, CVE patched in 7.5.7

[cclauss]

• CVE-2026-23950 - dependency update request for node-tar #3270
• Upgrade tar to 7.5.4 to address CVE-2026-23950 #3271

[daka1510]

My understanding is that this involves updating

node-gyp/package.json

Line 28 in 46d7576

"make-fetch-happen": "^15.0.0",

to ^20.0.0. This will then transitively update to the latest version of cacache. And the latest version of cacache no longer depends on (a vulnerable version of) tar (npm/cacache#314).

@cclauss the PR you linked to only updated a direct dependency. @hanurii do we share the same understanding that this would fix the issue?