Skip to content

[rush] rush-lib depends on an old version of tar that has a security issue #5553

New issue
New issue
Closed
#5573
Closed
[rush] rush-lib depends on an old version of tar that has a security issue#5553
#5573
Assignees
iclantoncopilot-swe-agent
Labels
effort: easyProbably a quick fix. Want to contribute? :-)help wantedIf you're looking to contribute, this issue is a good place to start!
@kgetz-arista

Description

@kgetz-arista
kgetz-arista
opened on Jan 19, 2026

Summary

rush-lib is still using an old version of tar 6.x:

https://github.com/microsoft/rushstack/blob/main/libraries/rush-lib/package.json#L69

Old versions of tar have a security issue:

GHSA-8qq5-rm4j-mr97

Repro steps

Use rush-lib in a repo and run a security scan.

Expected result: No issues

Actual result: 1 security issue

Details

rush-lib should be updated to use the latest version of tar.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

N/A

Metadata

Metadata

Assignees

Labels

effort: easyProbably a quick fix. Want to contribute? :-)help wantedIf you're looking to contribute, this issue is a good place to start!

Type

No type

Projects

Bug Triage

Status

Closed

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions