Fix tar hardlink path traversal vulnerability (CVE-2026-24842)

[JanPokorny]

Summary

Updates the tar package override to version 7.5.7 to address CVE-2026-24842 / GHSA-34x7-hfp2-rc4v, a hardlink path traversal vulnerability. This package is a transitive dependency via mintlify → @mintlify/previewing → tar@6.1.15.

Linked Issues

Documentation

• No Docs Needed: This is a security patch for a transitive dependency with no user-facing changes.

https://claude.ai/code/session_019BruC7Tp3ARg7ifVV21d17

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical security update by addressing a hardlink path traversal vulnerability (CVE-2026-24842) found in the tar package. The fix involves explicitly overriding the tar package version to 7.5.7 within the project's dependency management, ensuring that the vulnerable version is no longer used. This change is a backend security patch and has no user-facing impact.

Highlights

• Security Vulnerability Fix: Addressed CVE-2026-24842, a hardlink path traversal vulnerability found in the tar package.
• Dependency Update: Updated the tar package override to version 7.5.7 to mitigate the identified vulnerability.
• Transitive Dependency: The tar package is a transitive dependency, specifically via mintlify -> @mintlify/previewing.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• pnpm-lock.yaml
  • Updated @carbon/react to version 1.102.0.
  • Introduced an override for tar to enforce version 7.5.7.
  • Updated various transitive dependencies of tar, including chownr, minipass, minizlib, and yallist to their latest compatible versions.
  • Added @isaacs/fs-minipass as a new dependency.
  • Removed older versions of fs-minipass, minipass, and mkdirp.
• pnpm-workspace.yaml
  • Added a new override entry for the tar package, specifying version 7.5.7, along with comments detailing the CVE it addresses.

Activity

• No human activity has been recorded on this pull request since its creation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses the tar hardlink path traversal vulnerability (GHSA-34x7-hfp2-rc4v) by overriding the package version to 7.5.7. The changes in pnpm-lock.yaml are consistent with this override.

I've pointed out a minor typo in the CVE number in a comment within pnpm-workspace.yaml. The correct CVE is CVE-2024-28863. It would be good to correct this in the PR title and description as well for accuracy.

[gemini-code-assist]

There seems to be a typo in the CVE number. The correct CVE for GHSA-34x7-hfp2-rc4v is CVE-2024-28863, not CVE-2026-24842. It's good practice to keep these references accurate for future tracking.

  # Fix CVE-2024-28863 / GHSA-34x7-hfp2-rc4v: node-tar hardlink path traversal vulnerability