From 623634537dfd2291307e8c29038c4a4e64b8b6d7 Mon Sep 17 00:00:00 2001 From: btea <2356281422@qq.com> Date: Sat, 17 Jan 2026 19:14:02 +0800 Subject: [PATCH] fix: audit (#10475) * fix: audit * fix: update * fix: update --- __utils__/scripts/src/copy-artifacts.ts | 2 +- pnpm-lock.yaml | 87 ++++--------------- pnpm-workspace.yaml | 4 +- pnpm/package.json | 1 + .../plugin-commands-publishing/test/pack.ts | 2 +- 5 files changed, 25 insertions(+), 71 deletions(-) diff --git a/__utils__/scripts/src/copy-artifacts.ts b/__utils__/scripts/src/copy-artifacts.ts index 38918ebc1c..07f3cf640a 100644 --- a/__utils__/scripts/src/copy-artifacts.ts +++ b/__utils__/scripts/src/copy-artifacts.ts @@ -3,7 +3,7 @@ import * as execa from 'execa' import path from 'path' import makeEmptyDir from 'make-empty-dir' import stream from 'stream' -import tar from 'tar' +import * as tar from 'tar' import { glob } from 'tinyglobby' const repoRoot = path.join(import.meta.dirname, '../../..') diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6702130804..68841275bb 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -679,8 +679,8 @@ catalogs: specifier: ^7.0.0 version: 7.0.0 tar: - specifier: ^6.2.1 - version: 6.2.1 + specifier: ^7.5.3 + version: 7.5.3 tar-stream: specifier: ^2.2.0 version: 2.2.0 @@ -786,6 +786,7 @@ overrides: send@<0.19.0: ^0.19.0 serve-static@<1.16.0: ^1.16.0 socks@2: ^2.8.1 + tar@<=7.5.2: '>=7.5.3' tmp@<=0.2.3: '>=0.2.4' tough-cookie@<4.1.3: '>=4.1.3' validator@<13.15.22: '>=13.15.22' @@ -1173,7 +1174,7 @@ importers: version: 3.0.0 tar: specifier: 'catalog:' - version: 6.2.1 + version: 7.5.3 tinyglobby: specifier: 'catalog:' version: 0.2.14 @@ -7187,7 +7188,7 @@ importers: version: 7.0.1 tar: specifier: 'catalog:' - version: 6.2.1 + version: 7.5.3 write-yaml-file: specifier: 'catalog:' version: 5.0.0 @@ -11899,10 +11900,6 @@ packages: chownr@1.1.4: resolution: {integrity: sha512-jJ0bqzaylmJtVnNgzTeSOs8DPavpbYgEr/b0YL8/2GO3xJEhInFmhKMUnEJQjZumK7KXGFhUy89PrsJWlakBVg==} - chownr@2.0.0: - resolution: {integrity: sha512-bIomtDF5KGpdogkLd9VspvFzk9KfpyyGlS8YFVZl7TGPBHL5snIOnxeshwVgPteQ9b4Eydl+pVbIyE1DcvCWgQ==} - engines: {node: '>=10'} - chownr@3.0.0: resolution: {integrity: sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g==} engines: {node: '>=18'} @@ -12953,10 +12950,6 @@ packages: resolution: {integrity: sha512-yhlQgA6mnOJUKOsRUFsgJdQCvkKhcz8tlZG5HBQfReYZy46OwLcY+Zia0mtdHsOo9y/hP+CxMN0TU9QxoOtG4g==} engines: {node: '>=6 <7 || >=8'} - fs-minipass@2.1.0: - resolution: {integrity: sha512-V/JgOLFCS+R6Vcq0slCuaeWEdNC3ouDlJMNIsacH2VtALiu9mV4LPrHc5cDl8k5aw6J8jwgWWpiTo5RYhmIzvg==} - engines: {node: '>= 8'} - fs-minipass@3.0.3: resolution: {integrity: sha512-XUBA9XClHbnJWSfBzjkm6RvPsyg3sryZt06BEQoXcF7EK/xpGaQYJgQKDJSUH5SGZ76Y7pFx1QBnXz09rU5Fbw==} engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0} @@ -14352,20 +14345,12 @@ packages: resolution: {integrity: sha512-fNzuVyifolSLFL4NzpF+wEF4qrgqaaKX0haXPQEdQ7NKAN+WecoKMHV09YcuL/DHxrUsYQOK3MiuDf7Ip2OXfQ==} engines: {node: '>=8'} - minipass@5.0.0: - resolution: {integrity: sha512-3FnjYuehv9k6ovOEbyOswadCDPX1piCfhV8ncmYtHOjuPwylVWsghTLo7rabjC3Rx5xD4HDx8Wm1xnMF7S5qFQ==} - engines: {node: '>=8'} - minipass@7.1.2: resolution: {integrity: sha512-qOOzS1cBTWYF4BH8fVePDBOO9iptMnGUEZwNc/cMWnTV2nVLZ7VoNWEPHkYczZA0pdoA7dl6e7FL659nX9S2aw==} engines: {node: '>=16 || 14 >=14.17'} - minizlib@2.1.2: - resolution: {integrity: sha512-bAxsR8BVfj60DWXHE3u30oHzfl4G7khkSuPW+qvpd7jFRHm7dLxOjUk1EHACJ/hxLY8phGJ0YhYHZo7jil7Qdg==} - engines: {node: '>= 8'} - - minizlib@3.0.2: - resolution: {integrity: sha512-oG62iEk+CYt5Xj2YqI5Xi9xWUeZhDI8jjQmC5oThVH5JGCTgIjr7ciJDzC7MBzYd//WvR1OTmP5Q38Q8ShQtVA==} + minizlib@3.1.0: + resolution: {integrity: sha512-KZxYo1BUkWD2TVFLr0MQoM8vUUigWD3LlD83a/75BqC+4qE0Hb1Vo5v1FgcfaNXvfXzr+5EhQ6ing/CaBijTlw==} engines: {node: '>= 18'} mkdirp-classic@0.5.3: @@ -14376,11 +14361,6 @@ packages: engines: {node: '>=10'} hasBin: true - mkdirp@3.0.1: - resolution: {integrity: sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg==} - engines: {node: '>=10'} - hasBin: true - module-not-found-error@1.0.1: resolution: {integrity: sha512-pEk4ECWQXV6z2zjhRZUongnLJNUeGQJ3w6OQ5ctGwD+i5o93qjRQUk2Rt6VdNeu3sEP0AB4LcfvdebpxBRVr4g==} @@ -15841,12 +15821,8 @@ packages: tar-stream@3.1.7: resolution: {integrity: sha512-qJj60CXt7IU1Ffyc3NJMjh6EkuCFej46zUqJ4J7pqYlThyd9bO0XBTmcOIhSzZJVWfsLks0+nle/j538YAW9RQ==} - tar@6.2.1: - resolution: {integrity: sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==} - engines: {node: '>=10'} - - tar@7.4.3: - resolution: {integrity: sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw==} + tar@7.5.3: + resolution: {integrity: sha512-ENg5JUHUm2rDD7IvKNFGzyElLXNjachNLp6RaGf4+JOgxXHkqA+gq81ZAMCUmtMtqBsoU62lcp6S27g1LCYGGQ==} engines: {node: '>=18'} temp-dir@2.0.0: @@ -19720,7 +19696,7 @@ snapshots: prebuild-install: 7.1.1 resolve: 1.22.10 stream-meter: 1.0.4 - tar: 7.4.3 + tar: 7.5.3 tinyglobby: 0.2.14 unzipper: 0.12.3 transitivePeerDependencies: @@ -19750,7 +19726,7 @@ snapshots: p-limit: 2.3.0 semver: 7.7.2 strip-ansi: 6.0.1 - tar: 6.2.1 + tar: 7.5.3 tinylogic: 2.0.0 treeify: 1.1.0 tslib: 2.8.1 @@ -19781,7 +19757,7 @@ snapshots: p-limit: 2.3.0 semver: 7.7.2 strip-ansi: 6.0.1 - tar: 6.2.1 + tar: 7.5.3 tinylogic: 2.0.0 treeify: 1.1.0 tslib: 2.8.1 @@ -20337,7 +20313,7 @@ snapshots: minipass-pipeline: 1.2.4 p-map: 7.0.3 ssri: 12.0.0 - tar: 7.4.3 + tar: 7.5.3 unique-filename: 4.0.0 cacheable-lookup@5.0.4: {} @@ -20439,8 +20415,6 @@ snapshots: chownr@1.1.4: {} - chownr@2.0.0: {} - chownr@3.0.0: {} ci-info@3.9.0: {} @@ -21621,10 +21595,6 @@ snapshots: jsonfile: 4.0.0 universalify: 0.1.2 - fs-minipass@2.1.0: - dependencies: - minipass: 3.3.6 - fs-minipass@3.0.3: dependencies: minipass: 7.1.2 @@ -23341,7 +23311,7 @@ snapshots: dependencies: minipass: 7.1.2 minipass-sized: 1.0.3 - minizlib: 3.0.2 + minizlib: 3.1.0 optionalDependencies: encoding: 0.1.13 @@ -23363,16 +23333,9 @@ snapshots: minipass@4.2.8: {} - minipass@5.0.0: {} - minipass@7.1.2: {} - minizlib@2.1.2: - dependencies: - minipass: 3.3.6 - yallist: 4.0.0 - - minizlib@3.0.2: + minizlib@3.1.0: dependencies: minipass: 7.1.2 @@ -23380,8 +23343,6 @@ snapshots: mkdirp@1.0.4: {} - mkdirp@3.0.1: {} - module-not-found-error@1.0.1: {} mri@1.2.0: {} @@ -23492,7 +23453,7 @@ snapshots: nopt: 8.1.0 proc-log: 5.0.0 semver: 7.7.2 - tar: 7.4.3 + tar: 7.5.3 which: 5.0.0 transitivePeerDependencies: - supports-color @@ -23507,7 +23468,7 @@ snapshots: nopt: 8.1.0 proc-log: 5.0.0 semver: 7.7.2 - tar: 7.4.3 + tar: 7.5.3 tinyglobby: 0.2.14 which: 5.0.0 transitivePeerDependencies: @@ -24974,22 +24935,12 @@ snapshots: fast-fifo: 1.3.2 streamx: 2.22.1 - tar@6.2.1: - dependencies: - chownr: 2.0.0 - fs-minipass: 2.1.0 - minipass: 5.0.0 - minizlib: 2.1.2 - mkdirp: 1.0.4 - yallist: 4.0.0 - - tar@7.4.3: + tar@7.5.3: dependencies: '@isaacs/fs-minipass': 4.0.1 chownr: 3.0.0 minipass: 7.1.2 - minizlib: 3.0.2 - mkdirp: 3.0.1 + minizlib: 3.1.0 yallist: 5.0.0 temp-dir@2.0.0: {} diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml index eeecc05bd5..1183c3230a 100644 --- a/pnpm-workspace.yaml +++ b/pnpm-workspace.yaml @@ -286,7 +286,7 @@ catalog: strip-bom: ^5.0.0 strip-comments-strings: 1.2.0 symlink-dir: ^7.0.0 - tar: ^6.2.1 + tar: ^7.5.3 tar-stream: ^2.2.0 tempy: 3.0.0 terminal-link: ^4.0.0 @@ -341,6 +341,7 @@ minimumReleaseAgeExclude: - pnpm - publish-packed@5.0.0 - run-groups@4.0.0 + - tar@7.5.3 nodeVersion: 20.19.4 @@ -378,6 +379,7 @@ overrides: send@<0.19.0: ^0.19.0 serve-static@<1.16.0: ^1.16.0 socks@2: ^2.8.1 + tar@<=7.5.2: '>=7.5.3' tmp@<=0.2.3: '>=0.2.4' tough-cookie@<4.1.3: '>=4.1.3' validator@<13.15.22: '>=13.15.22' diff --git a/pnpm/package.json b/pnpm/package.json index c7f8868e44..ece7093c40 100644 --- a/pnpm/package.json +++ b/pnpm/package.json @@ -214,6 +214,7 @@ "send@<0.19.0": "^0.19.0", "serve-static@<1.16.0": "^1.16.0", "socks@2": "^2.8.1", + "tar@<=7.5.2": ">=7.5.3", "tmp@<=0.2.3": ">=0.2.4", "tough-cookie@<4.1.3": ">=4.1.3", "validator@<13.15.22": ">=13.15.22", diff --git a/releasing/plugin-commands-publishing/test/pack.ts b/releasing/plugin-commands-publishing/test/pack.ts index f1bce34a7e..219db90015 100644 --- a/releasing/plugin-commands-publishing/test/pack.ts +++ b/releasing/plugin-commands-publishing/test/pack.ts @@ -2,7 +2,7 @@ import fs from 'fs' import path from 'path' import { pack } from '@pnpm/plugin-commands-publishing' import { prepare, preparePackages, tempDir } from '@pnpm/prepare' -import tar from 'tar' +import * as tar from 'tar' import chalk from 'chalk' import { sync as writeYamlFile } from 'write-yaml-file' import { filterPackagesFromDir } from '@pnpm/workspace.filter-packages-from-dir'