Drop tar-fs / ws npm overrides once pagedjs-cli ships on modern puppeteer

[JohnRDOrazio]

Status

Blocked on upstream. Action required when one of the done-when conditions below is met.

Context

PR #35 added two npm overrides to package.json to clear four high-severity Dependabot alerts:

"overrides": {
  "tar-fs": "^3.1.2",
  "ws": "^8.18.0"
}

The alerts were on transitive dependencies of the build pipeline:

pagedjs-cli@0.4.3
  └── puppeteer@^20.9.0          ← upstream's version pin (end-of-life)
        ├── @puppeteer/browsers@1.4.6
        │     └── tar-fs@3.0.4   ← 3 CVEs (symlink bypass, escape, path traversal)
        └── puppeteer-core@20.9.0
              └── ws@8.13.0      ← DoS via many headers

Dependabot can't fix this on its own because the vulnerable versions are pinned by puppeteer@^20.x, which pagedjs-cli@0.4.3 requires. The override forces npm to install patched versions across the whole tree regardless of what intermediate packages requested.

Why we can't just bump pagedjs-cli

At the time of writing:

• 0.4.3 is the latest stable release.
• 0.5.0-beta.2 exists and uses puppeteer@^22.x (which would resolve the chain natively), but is a pre-release.
• 1.0.0-alpha.2 exists but uses an older puppeteer@^14.x — abandoned alpha, not a forward path.
• The pagedjs/pagedjs-cli GitHub repo has zero releases tagged; the project is in maintenance mode rather than active development.

Done-when criteria

Drop the overrides block (and regenerate package-lock.json) when any of these is true:

• pagedjs-cli ships a stable release (≥ 0.5.0 non-prerelease) whose direct puppeteer dependency is on a version that pulls in tar-fs ≥ 3.1.1 and ws ≥ 8.17.1. Sanity check: npm view pagedjs-cli@<new-version> dependencies | grep puppeteer, then npm view puppeteer@<that-version> dependencies for the chain.
• We migrate off pagedjs-cli entirely (e.g., switch to a different PDF renderer for npm run build:pdf).
• A new advisory is published whose patched version is higher than what our overrides currently pin — at which point bump the overrides and reset the watch.

How to remove the overrides

Once a done-when condition is met:

1. Bump pagedjs-cli to the new stable in devDependencies.
2. Delete the overrides block from package.json.
3. rm package-lock.json && PUPPETEER_SKIP_DOWNLOAD=true npm install.
4. Verify npm ls tar-fs and npm ls ws resolve to ≥ patched versions naturally.
5. Verify npm audit reports 0 vulnerabilities.
6. Open a PR; the Build Test workflow will validate the PDF still renders.

Practical exploitability (for context)

Neither vulnerability is reachable in our actual build/deploy:

• PUPPETEER_SKIP_DOWNLOAD: 'true' is set in CI and deploy, so tar-fs (the Chrome-tarball extractor used at install time by @puppeteer/browsers) is never invoked — we use system Chrome via PUPPETEER_EXECUTABLE_PATH.
• ws is used as a client to local Chrome's DevTools port, not as a server accepting external traffic — the DoS-via-many-headers attack is on the server side.

The overrides are hygiene and audit-cleanliness, not a fix for an active threat. That said, dropping them when upstream catches up is still the cleaner endpoint.

References

• PR adding the overrides: chore(deps): override tar-fs and ws to clear transitive CVEs #35
• Advisories: GHSA on tar-fs (3 distinct) and ws (DoS via many headers) — see the repo's Security tab for full text.
• Upstream: https://github.com/pagedjs/pagedjs-cli
• npm overrides docs: https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides