Summary
@discordjs/node-pre-gyp 0.4.5 (latest) pins tar at ^6.1.11. All versions of tar <=7.5.3 are flagged by GitHub Advisory Database with 6 high-severity path-traversal / symlink-poisoning advisories during tarball extraction:
| GHSA |
Title |
GHSA-34x7-hfp2-rc4v |
Hardlink Path Traversal |
GHSA-83g3-92jg-28cx |
Insufficient Path Sanitization |
GHSA-8qq5-rm4j-mr97 |
Hardlink Target Escape Through Symlink Chain |
GHSA-9ppj-qmqm-q256 |
Drive-Relative Hardlink Linkpath |
GHSA-qffp-2rhf-9h96 |
Drive-Relative Symlink Linkpath |
GHSA-r6q2-hw4h-h46w |
Race Condition via Unicode Ligature Collisions on macOS APFS |
The patched range is tar >=7.5.4.
Problem
Downstream packages that depend on @discordjs/opus (which depends on @discordjs/node-pre-gyp) get all six advisories surfaced in npm audit, with no in-repo workaround — overriding tar to ^7.5.4 breaks the install because tar 7.x is ESM-only and @discordjs/node-pre-gyp uses CommonJS require('tar').
Suggested fix
Migrate @discordjs/node-pre-gyp to ESM (matching the upstream tar 7.x API) and bump tar to ^7.5.4, then cut a 0.4.6 / 0.5.0 release. A minor breaking change is acceptable here since the package's consumers are mostly the discordjs ecosystem itself.
Context
Encountered while building voice support for a Discord bot. Real-world exploitability is low (requires compromise of the discordjs/opus GitHub Releases tarballs that node-pre-gyp pulls), but the audit noise is real for downstream maintainers under strict security policies.
Happy to send a PR if maintainers can confirm the ESM migration is in scope. Thanks!
Summary
@discordjs/node-pre-gyp0.4.5 (latest) pinstarat^6.1.11. All versions oftar <=7.5.3are flagged by GitHub Advisory Database with 6 high-severity path-traversal / symlink-poisoning advisories during tarball extraction:GHSA-34x7-hfp2-rc4vGHSA-83g3-92jg-28cxGHSA-8qq5-rm4j-mr97GHSA-9ppj-qmqm-q256GHSA-qffp-2rhf-9h96GHSA-r6q2-hw4h-h46wThe patched range is
tar >=7.5.4.Problem
Downstream packages that depend on
@discordjs/opus(which depends on@discordjs/node-pre-gyp) get all six advisories surfaced innpm audit, with no in-repo workaround — overridingtarto^7.5.4breaks the install because tar 7.x is ESM-only and@discordjs/node-pre-gypuses CommonJSrequire('tar').Suggested fix
Migrate
@discordjs/node-pre-gypto ESM (matching the upstreamtar7.x API) and bumptarto^7.5.4, then cut a 0.4.6 / 0.5.0 release. A minor breaking change is acceptable here since the package's consumers are mostly the discordjs ecosystem itself.Context
Encountered while building voice support for a Discord bot. Real-world exploitability is low (requires compromise of the discordjs/opus GitHub Releases tarballs that
node-pre-gyppulls), but the audit noise is real for downstream maintainers under strict security policies.Happy to send a PR if maintainers can confirm the ESM migration is in scope. Thanks!