Unleash / unleash / 21227794706
86%
master: 91%

LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran
Jobs 1
Files 1136
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 86.174% (-0.02%) from 86.192%
21227794706

push

github

web-flow 
chore(deps): update dependency tar to v7.5.4 [security] (#11246)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [tar](https://redirect.github.com/isaacs/node-tar) | [`7.5.3` →
`7.5.4`](https://renovatebot.com/diffs/npm/tar/7.5.3/7.5.4) |
![age](https://developer.mend.io/api/mc/badges/age/npm/tar/7.5.4?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/tar/7.5.3/7.5.4?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-23950](https://redirect.github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w)

**TITLE**: Race Condition in node-tar Path Reservations via Unicode
Sharp-S (ß) Collisions on macOS APFS

**AUTHOR**: Tomás Illuminati

### Details

A race condition vulnerability exists in `node-tar` (v7.5.3) this is to
an incomplete handling of Unicode path collisions in the
`path-reservations` system. On case-insensitive or
normalization-insensitive filesystems (such as macOS APFS, In which it
has been tested), the library fails to lock colliding paths (e.g., `ß`
and `ss`), allowing them to be processed in parallel. This bypasses the
library's internal concurrency safeguards and permits Symlink Poisoning
attacks via race conditions. The library uses a `PathReservations`
system to ensure that metadata checks and file operations for the same
path are serialized. This prevents race conditions where one entry might
clobber another concurrently.

```typescript
// node-tar/src/path-reservations.ts (Lines 53-62)
reserve(paths: string[], fn: Handler) {
    paths =
      isWindows ?
        ['win32 parallelization disabled']
      : paths.map(p => {
          return stripTrailingSlashes(
            join(normalizeUnicode(p)), // <- THE PROBLEM FOR MacOS FS
          ).toLowerCase()
        })

```

In MacOS the ```join(normalizeUnicode(p)), ``` FS confuses ß w... (continued)

1685 of 1897 branches covered (88.82%)

14260 of 16548 relevant lines covered (86.17%)

856.66 hits per line

Uncovered Existing Lines

Lines Coverage File
3
81.63
 -3.06% src/lib/features/playground/feature-evaluator/constraint.ts
Jobs
ID Job ID Ran Files Coverage
1 21227794706.1 1136
86.17
 GitHub Action Run
Source Files on build 21227794706