CVE-2024-28863 - Lerna using a vulnerable version of tar

[jimblanc]

Current Behavior

Good day,
We received a dependabot alert on our repo due to Lerna's use of tar in @lerna/create & @lerna/legacy-package-management relating to CVE-2024-28863. Would it be possible to update tar to v6.2.1 in Lerna v7 & v8?

Expected Behavior

Lerna should not use the impacted versions of tar.

Steps to Reproduce

npm audit in a project that is using Lerna.

This issue may not be prioritized if details are not provided to help us reproduce the issue.

Failure Logs / Configuration

N/A

Environment

N/A

[alexsaker]

There is an automatic PR dealing with this issue.
An "Exceeded timeout of 60000 ms for a hook." was thrown by the CI here.
Not sure whether it is just a glitch with CI agents or if the tar package update broke something.

[sergeyklay]

@JamesHenry Could you please take a look

[ryan-gies-agilysys]

A friendly nudge - this issue continues to appear on the security badge for lerna repos using dependabot...

[JamesHenry]

Thanks for your patience here folks, lerna 8.1.3 is available now and a freshly generated workspace only contains tar 6.2.1

Please also remember that lerna, as a dev tool which exclusively runs on users' machines, is not subject to exploitation by such a vulnerability, you would literally have to attack yourself on your own computer. Or, put another way, if an attacker already had access to your local machine, you have bigger problems than your tar version 😄

I am happy we can remove an irrelevant warning from your feedback systems, but you may also want to consider if there is a way for you to mark certain warnings as irrelevant/not applicable.

This article is on this topic is worth a read if you are not familiar: https://overreacted.io/npm-audit-broken-by-design/