Bump @mapbox/node-pre-gyp to ^2.0.0 to address tar CVE (CVE-2026-24842)
Summary
pprof currently depends on @mapbox/node-pre-gyp: ^1.0.9. The 1.x line of node-pre-gyp uses tar ^6.1.0, which is vulnerable to CVE-2026-24842 (path traversal when extracting tar archives).
@mapbox/node-pre-gyp 2.x already uses tar ^7.4.0, which includes the fix. Bumping pprof’s dependency to @mapbox/node-pre-gyp: ^2.0.0 would resolve the CVE for downstreams without requiring lockfile overrides.
Impact
Downstream users (e.g. via @google-cloud/profiler) currently have to add a pnpm/npm override like "tar": ">=7.5.7" to satisfy security scanners. Fixing this in pprof would allow removing that override.
Note on compatibility
- node-pre-gyp 2.x requires Node.js >= 18 (see their package.json).
- pprof 4.0.0 currently supports Node 14+. If you bump to node-pre-gyp 2.x, you may want to document that a future release requires Node 18+ (or bump pprof’s engines field accordingly).
References
Bump @mapbox/node-pre-gyp to ^2.0.0 to address tar CVE (CVE-2026-24842)
Summary
pprofcurrently depends on@mapbox/node-pre-gyp: ^1.0.9. The 1.x line of node-pre-gyp usestar ^6.1.0, which is vulnerable to CVE-2026-24842 (path traversal when extracting tar archives).@mapbox/node-pre-gyp2.x already usestar ^7.4.0, which includes the fix. Bumping pprof’s dependency to@mapbox/node-pre-gyp: ^2.0.0would resolve the CVE for downstreams without requiring lockfile overrides.Impact
Downstream users (e.g. via
@google-cloud/profiler) currently have to add a pnpm/npm override like"tar": ">=7.5.7"to satisfy security scanners. Fixing this in pprof would allow removing that override.Note on compatibility
References