fix: pin tar override for npm installs

2026-01-26 22:58:05 +00:00
parent 2807f5afbc
commit 6cbdd767af
2 changed files with 4 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -51,6 +51,7 @@ Status: unreleased.
 - **BREAKING:** Gateway auth mode "none" is removed; gateway now requires token/password (Tailscale Serve identity still allowed).

 ### Fixes
+- Security: pin npm overrides to keep tar@7.5.4 for install toolchains.
 - BlueBubbles: coalesce inbound URL link preview messages. (#1981) Thanks @tyler6204.
 - Agents: include memory.md when bootstrapping memory context. (#2318) Thanks @czekaj.
 - Telegram: wrap reasoning italics per line to avoid raw underscores. (#2181) Thanks @YuriNachos.
--- a/package.json
+++ b/package.json
@@ -237,6 +237,9 @@
    "vitest": "^4.0.18",
    "wireit": "^0.14.12"
  },
+  "overrides": {
+    "tar": "7.5.4"
+  },
  "pnpm": {
    "minimumReleaseAge": 2880,
    "overrides": {