fix: add snyk ignores for tar symlink attack vulns (#769)

bgardiner · web-flow · commit c06267f7b818 · 2026-03-17T15:05:25.000+02:00
SNYK-JS-TAR-15416075 and SNYK-JS-TAR-15456201 affect tar@6.2.1 via
@yarnpkg/core which is pinned to tar@^6. Fixes only exist in tar 7.x,
blocked on upstream @yarnpkg/core update.
diff --git a/.snyk b/.snyk
@@ -6,4 +6,12 @@ ignore:
     - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
         reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
         expires: 2026-03-26T00:00:00.000Z
+  SNYK-JS-TAR-15416075:
+    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
+        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
+        expires: 2026-03-26T00:00:00.000Z
+  SNYK-JS-TAR-15456201:
+    - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
+        reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
+        expires: 2026-03-26T00:00:00.000Z
 patch: {}
