Unleash / unleash / 22184429809
86%
master: 91%

LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran
Jobs 1
Files 1152
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 86.125% (+0.03%) from 86.095%
22184429809

push

github

web-flow 
chore(deps): update dependency tar to v7.5.8 [security] (#11364)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [tar](https://redirect.github.com/isaacs/node-tar) | [`7.5.7` →
`7.5.8`](https://renovatebot.com/diffs/npm/tar/7.5.7/7.5.8) |
![age](https://developer.mend.io/api/mc/badges/age/npm/tar/7.5.8?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/tar/7.5.7/7.5.8?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-26960](https://redirect.github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx)

### Summary
`tar.extract()` in Node `tar` allows an attacker-controlled archive to
create a hardlink inside the extraction directory that points to a file
outside the extraction root, using default options.

This enables **arbitrary file read and write** as the extracting user
(no root, no chmod, no `preservePaths`).

Severity is high because the primitive bypasses path protections and
turns archive extraction into a direct filesystem access primitive.

### Details
The bypass chain uses two symlinks plus one hardlink:

1. `a/b/c/up -> ../..`
2. `a/b/escape -> c/up/../..`
3. `exfil` (hardlink) ->
`a/b/escape/<target-relative-to-parent-of-extract>`

Why this works:

- Linkpath checks are string-based and do not resolve symlinks on disk
for hardlink target safety.
  - See `STRIPABSOLUTEPATH` logic in:
- `../tar-audit-setuid -
CVE/node_modules/tar/dist/commonjs/unpack.js:255`
- `../tar-audit-setuid -
CVE/node_modules/tar/dist/commonjs/unpack.js:268`
- `../tar-audit-setuid -
CVE/node_modules/tar/dist/commonjs/unpack.js:281`

- Hardlink extraction resolves target as `path.resolve(cwd,
entry.linkpath)` and then calls `fs.link(target, destination)`.
- `../tar-audit-setuid -
CVE/node_modules/tar/dist/commonjs/unpack.js:566`
- `../tar-audit-setuid -
CVE/node_modul... (continued)

1746 of 1964 branches covered (88.9%)

14568 of 16915 relevant lines covered (86.12%)

903.1 hits per line

Uncovered Existing Lines

Lines Coverage File
1
85.94
 -0.78% src/lib/services/api-token-service.ts
Jobs
ID Job ID Ran Files Coverage
1 22184429809.1 1152
86.12
 GitHub Action Run
Source Files on build 22184429809