Unleash / unleash / 21097719456
86%
master: 91%

LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran
Jobs 1
Files 1135
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 86.188% (-0.01%) from 86.2%
21097719456

push

github

web-flow 
chore(deps): update dependency tar to v7.5.3 [security] (#11240)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [tar](https://redirect.github.com/isaacs/node-tar) | [`7.4.3` →
`7.5.3`](https://renovatebot.com/diffs/npm/tar/7.4.3/7.5.3) |
![age](https://developer.mend.io/api/mc/badges/age/npm/tar/7.5.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/tar/7.4.3/7.5.3?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-23745](https://redirect.github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97)

### Summary

The `node-tar` library (`<= 7.5.2`) fails to sanitize the `linkpath` of
`Link` (hardlink) and `SymbolicLink` entries when `preservePaths` is
false (the default secure behavior). This allows malicious archives to
bypass the extraction root restriction, leading to **Arbitrary File
Overwrite** via hardlinks and **Symlink Poisoning** via absolute symlink
targets.

### Details

The vulnerability exists in `src/unpack.ts` within the `[HARDLINK]` and
`[SYMLINK]` methods.

**1. Hardlink Escape (Arbitrary File Overwrite)**

The extraction logic uses `path.resolve(this.cwd, entry.linkpath)` to
determine the hardlink target. Standard Node.js behavior dictates that
if the second argument (`entry.linkpath`) is an **absolute path**,
`path.resolve` ignores the first argument (`this.cwd`) entirely and
returns the absolute path.

The library fails to validate that this resolved target remains within
the extraction root. A malicious archive can create a hardlink to a
sensitive file on the host (e.g., `/etc/passwd`) and subsequently write
to it, if file permissions allow writing to the target file, bypassing
path-based security measures that may be in place.

**2. Symlink Poisoning**

The extraction logic passes the user-supplied `entry.linkpath` directly
to `... (continued)

1687 of 1897 branches covered (88.93%)

14259 of 16544 relevant lines covered (86.19%)

872.44 hits per line

Uncovered Existing Lines

Lines Coverage File
1
83.13
 -1.2% src/lib/features/playground/feature-evaluator/client.ts
2
83.67
 -2.04% src/lib/features/playground/feature-evaluator/constraint.ts
Jobs
ID Job ID Ran Files Coverage
1 21097719456.1 1135
86.19
 GitHub Action Run
Source Files on build 21097719456