CVE-2026-24842

# Bump @mapbox/node-pre-gyp to ^2.0.0 to address tar CVE (CVE-2026-24842)

## Summary

`pprof` currently depends on `@mapbox/node-pre-gyp: ^1.0.9`. The 1.x line of node-pre-gyp uses `tar ^6.1.0`, which is vulnerable to **CVE-2026-24842** (path traversal when extracting tar archives).

`@mapbox/node-pre-gyp` 2.x already uses `tar ^7.4.0`, which includes the fix. Bumping pprof’s dependency to `@mapbox/node-pre-gyp: ^2.0.0` would resolve the CVE for downstreams without requiring lockfile overrides.

## Impact

Downstream users (e.g. via `@google-cloud/profiler`) currently have to add a pnpm/npm override like `"tar": ">=7.5.7"` to satisfy security scanners. Fixing this in pprof would allow removing that override.

## Note on compatibility

- node-pre-gyp 2.x requires **Node.js >= 18** ([see their package.json](https://github.com/mapbox/node-pre-gyp/blob/master/package.json)).
- pprof 4.0.0 currently supports Node 14+. If you bump to node-pre-gyp 2.x, you may want to document that a future release requires Node 18+ (or bump pprof’s engines field accordingly).

## References

- [CVE-2026-24842](https://nvd.nist.gov/vuln/detail/CVE-2026-24842) – node-tar path traversal
- [node-pre-gyp 2.x uses tar ^7.4.0](https://github.com/mapbox/node-pre-gyp/blob/master/package.json)
- [node-pre-gyp #597](https://github.com/mapbox/node-pre-gyp/issues/597) – earlier tar CVE discussion (1.x line)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2026-24842 #320

Bump @mapbox/node-pre-gyp to ^2.0.0 to address tar CVE (CVE-2026-24842)

Summary

Impact

Note on compatibility

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2026-24842 #320

Description

Bump @mapbox/node-pre-gyp to ^2.0.0 to address tar CVE (CVE-2026-24842)

Summary

Impact

Note on compatibility

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions