Installing using the NPM package produces a warning about the use of an old version of the tar package.
$ node --version
v24.14.1
$ npm install -g @infisical/cli
npm warn deprecated tar@6.2.1: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
changed 13 packages in 4s
$ infisical --version
infisical version 0.43.72
The audit:
/usr/local/lib/node_modules/@infisical/cli $ npm audit
# npm audit report
tar <=7.5.10
Severity: high
node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal - https://github.com/advisories/GHSA-34x7-hfp2-rc4v
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - https://github.com/advisories/GHSA-8qq5-rm4j-mr97
Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction - https://github.com/advisories/GHSA-83g3-92jg-28cx
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96
node-tar Symlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-9ppj-qmqm-q256
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - https://github.com/advisories/GHSA-r6q2-hw4h-h46w
fix available via `npm audit fix --force`
Will install tar@7.5.13, which is a breaking change
node_modules/tar
1 high severity vulnerability
To address all issues (including breaking changes), run:
npm audit fix --force
Installing globally will cause the insecure version of tar to be installed globally as well.
Installing using the NPM package produces a warning about the use of an old version of the
tarpackage.The audit:
Installing globally will cause the insecure version of
tarto be installed globally as well.