Summary
Running npm audit after installing purescript (which depends on purescript-installer) reports 5 high severity vulnerabilities coming from a vulnerable tar version pulled in through:
purescript → purescript-installer → make-fetch-happen → cacache → tar
npm audit fix reports that fixes are available only with --force and that it may install a different/breaking version of purescript.
Affected advisories
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - GHSA-r6q2-hw4h-h46w
Steps to reproduce
Using a clean environment (example: Ubuntu Docker):
docker run --rm -it ubuntu:latest bash
apt-get update
apt-get install -y curl ca-certificates
curl -fsSL https://deb.nodesource.com/setup_current.x | bash -
apt-get install -y nodejs
mkdir -p /work
cd /work
npm init -y
npm install --save-dev purescript
npm audit
Actual result
npm audit reports (excerpt):
tar <=7.5.3
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - GHSA-r6q2-hw4h-h46w
fix available via npm audit fix --force
Will install purescript@0.14.9, which is a breaking change
node_modules/tar
cacache 14.0.0 - 18.0.4
Depends on vulnerable versions of tar
node_modules/make-fetch-happen/node_modules/cacache
make-fetch-happen 7.1.1 - 14.0.0
Depends on vulnerable versions of cacache
node_modules/make-fetch-happen
purescript-installer >=0.2.3
Depends on vulnerable versions of make-fetch-happen
Depends on vulnerable versions of tar
node_modules/purescript-installer
purescript >=0.15.0-alpha-06
Depends on vulnerable versions of purescript-installer
node_modules/purescript
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result
purescript-installer’s dependency tree should avoid vulnerable versions of tar / cacache (or otherwise provide a remediation path that does not require npm audit fix --force).
Environment
-
OS: [e.g. Ubuntu 24.04 in Docker / ubuntu:latest]
-
Node: 25.3.0
-
npm: 11.6.2
-
purescript package version: purescript@0.15.15
-
purescript-installer version: purescript-installer@0.3.5
Notes / possible direction
It looks like the vulnerabilities are introduced via make-fetch-happen/cacache pulling in tar <= 7.5.3. Would it be possible to bump make-fetch-happen and/or cacache to versions that depend on a patched tar, or otherwise pin/override to a safe range?
Summary
Running npm audit after installing purescript (which depends on purescript-installer) reports 5 high severity vulnerabilities coming from a vulnerable tar version pulled in through:
purescript → purescript-installer → make-fetch-happen → cacache → tar
npm audit fix reports that fixes are available only with --force and that it may install a different/breaking version of purescript.
Affected advisories
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - GHSA-r6q2-hw4h-h46w
Steps to reproduce
Using a clean environment (example: Ubuntu Docker):
Actual result
npm audit reports (excerpt):
tar <=7.5.3
Severity: high
node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization - GHSA-8qq5-rm4j-mr97
Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS - GHSA-r6q2-hw4h-h46w
fix available via
npm audit fix --forceWill install purescript@0.14.9, which is a breaking change
node_modules/tar
cacache 14.0.0 - 18.0.4
Depends on vulnerable versions of tar
node_modules/make-fetch-happen/node_modules/cacache
make-fetch-happen 7.1.1 - 14.0.0
Depends on vulnerable versions of cacache
node_modules/make-fetch-happen
purescript-installer >=0.2.3
Depends on vulnerable versions of make-fetch-happen
Depends on vulnerable versions of tar
node_modules/purescript-installer
purescript >=0.15.0-alpha-06
Depends on vulnerable versions of purescript-installer
node_modules/purescript
5 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Expected result
purescript-installer’s dependency tree should avoid vulnerable versions of tar / cacache (or otherwise provide a remediation path that does not require npm audit fix --force).
Environment
OS: [e.g. Ubuntu 24.04 in Docker / ubuntu:latest]
Node: 25.3.0
npm: 11.6.2
purescript package version: purescript@0.15.15
purescript-installer version: purescript-installer@0.3.5
Notes / possible direction
It looks like the vulnerabilities are introduced via make-fetch-happen/cacache pulling in tar <= 7.5.3. Would it be possible to bump make-fetch-happen and/or cacache to versions that depend on a patched tar, or otherwise pin/override to a safe range?