Skip to content

Patch tar DoS advisories by dropping pinyin's nodejieba (SNYK-JS-TAR-17909068, SNYK-JS-TAR-17909152)#1057

Merged
juliasilge merged 1 commit into
mainfrom
chore/bump-pinyin
Jul 14, 2026
Merged

Patch tar DoS advisories by dropping pinyin's nodejieba (SNYK-JS-TAR-17909068, SNYK-JS-TAR-17909152)#1057
juliasilge merged 1 commit into
mainfrom
chore/bump-pinyin

Conversation

@juliasilge

@juliasilge juliasilge commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Bump pinyin from ^2.10.2 to ^4.0.0 in packages/editor and drop the now-redundant @types/pinyin devDependency, closing the two remaining tar advisories from #1052:

  • SNYK-JS-TAR-17909068 infinite loop / CVE-2026-59874
  • SNYK-JS-TAR-17909152 resource exhaustion / CVE-2026-59873

The third vulnerability in the Snyk PR, the js-yaml merge-key DoS (SNYK-JS-JSYAML-17900054), was already resolved by the lockfile re-resolution in #1056, so editor's js-yaml: ^4.1.0 already resolves to the patched 4.3.0 and no js-yaml change is needed here.

Unlike the earlier dependency advisories, the tar fix is only available in tar 7.5.18/7.5.19; there is no patched 6.x release, so a within-major lockfile re-resolution is not possible. The vulnerable tar 6.1.13 is pulled in transitively along a single path: editor -> pinyin -> nodejieba (optionalDependency) -> @mapbox/node-pre-gyp -> tar. Rather than force tar 7 through node-pre-gyp 1.x (which pins tar ^6.1.11 and is not compatible with tar 7's API/engine changes), bumping pinyin to 4.0.0 removes the entire native subtree: pinyin 4 drops the nodejieba optional dependency, which eliminates nodejieba, @mapbox/node-pre-gyp, and tar from the lockfile altogether (about 160 fewer lockfile lines and no native install-time build step).

This supersedes Snyk PR #1052, which bumped pinyin in package.json but did not update yarn.lock and left the stale @types/pinyin behind.

There is no behavior change from this change. The editor uses pinyin at a single call site (createUniqueCiteId in cite.ts) to romanize an individual Hanzi character into an ASCII citekey. pinyin 4 returns byte-identical romanizations for that call, its CJS build sets __esModule and its ESM build exports the callable as default, so the existing import pinyin from 'pinyin' default import resolves correctly under both the TypeScript esModuleInterop path and the Vite/Rollup bundle. All working correctly, shown here with a search for the DOI 10.1142/9789814285780:

Screenshot 2026-07-14 at 10 17 52 AM

The dropped nodejieba only ever affected multi-character segment mode, which this single-character call never used. Verified with tsc --noEmit on packages/editor and a full vscode-editor build.

Closes #1052

@posit-snyk-bot

posit-snyk-bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@juliasilge juliasilge requested a review from cscheid July 14, 2026 16:20

@cscheid cscheid left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@juliasilge juliasilge merged commit 379ffb4 into main Jul 14, 2026
5 of 6 checks passed
kevinushey added a commit to rstudio/rstudio that referenced this pull request Jul 14, 2026
* raise node heap for panmirror vite build

quarto-dev/quarto#1057 bumped pinyin to 4.x, which bundles several MB of
dictionary data into panmirror.js (4.8 MB -> 13 MB). Rendering the bundle
and its sourcemap now exceeds node's default ~2GB heap on the GitHub
macOS runners, so every PR build OOMs in 'Building GWT sources'.
Verified locally: the build fails with --max-old-space-size=2048 and
succeeds with 4096.

* preserve caller-provided NODE_OPTIONS

ant's <env> replaces the variable outright, which would drop e.g. proxy
or heap settings from the caller's environment. splice the inherited
value in after our flag so caller flags take precedence (node applies
the last occurrence of a flag).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants