Unleash / unleash

86%

master: 91%

LAST BUILD ON BRANCH main

branch: SELECT

CHANGE BRANCH

x

• No branch selected
• 1-3761
• 1-3772
• 1-3776
• 1-3781
• 1-3885
• 2-3221
• 2-3623
• ability-to-add-openapi-badges
• add-cdn-tokens-table
• add-timer-event-store
• amend-audit-log-for-user-creation
• back-to-impact-metrics
• bulk-impact-metrics
• bump-node-client-metrics-flags
• bump-node-sdk-token-parsing
• cancel-duplicate-ci-runs
• cdn-events
• chore(1-3753)/block-deletion-of-context-server
• chore(1-3807)/remove-flag-addEditStrategy
• chore(1-3807)/remove-flag-addEditStrategy-take2
• chore(1-3835)/improve-json-diff-view
• chore(1-3905)/send-flag-enabled-to-hubspot
• chore(1-3921)/set-sdk-version-on-clientns
• chore-add-flag-paygInstanceStatsEvents
• chore-add-permissions-to-ai-flag-cleanup-workflow
• chore-ai-flag-cleanup-action-trigger-workflows
• chore-ai-flag-cleanup-add-missing-permissions
• chore-ai-flag-cleanup-better-support-for-url-friendly-flag-names
• chore-ai-flag-cleanup-extended-tests
• chore-ai-flag-cleanup-fix-prompt
• chore-ai-flag-cleanup-report-errors-back-to-issue
• chore-ai-flag-cleanup-test
• chore-allow-bulk-metrics-with-empty-flag-names
• chore-cleanup-project-related-tech-debt
• chore-dont-include-passwordlink-if-its-unleashurl
• chore-emit-client-metrics-event-after-sifting
• chore-prefer-searchevents-over-deprecated-methods
• chore-remove-deprecated-delete-project-groups-roles-endpoint
• chore-remove-deprecated-get-project-health-report
• chore-remove-deprecated-post-events-search
• chore-remove-deprecated-post-ui-config-endpoint
• chore-remove-deprecated-put-project-groups-roles-endpoint
• chore-remove-flag-enterprise-payg
• chore-remove-flag-featureLinks
• chore-remove-flag-newgettingstartedemail
• chore-remove-flag-registerFrontendClient-20250521173203
• chore-remove-teams-integration-cr-events-flag
• chore-sift-metrics-on-both-endpoints
• chore-unknown-flags-add-environment
• chore-unknown-flags-prevent-deadlocks-by-sorting-and-batching-inserts
• chore-unknown-flags-ui
• chore-update-slack-app-to-app-for-slack
• chore/add-application-created-event-type
• chore/add-payg-trial-event-flag
• chore/addCrdiffViewFlag
• chore/approvePSFForLicenseChecker
• chore/disallow-new-instances-of-deprecated-integrations
• chore/do-not-console-log
• chore/export-iclientinstance
• chore/exposeFeatureUsageInfo
• chore/fix-flaky-delete-stale-session
• chore/get-rid-of-deprecated-api-token-properties
• chore/improve-cr-approve-request-message
• chore/lifecycle-metrics-flag
• chore/reduce-log-levels-in-metrics-service
• chore/remove-flag-disableBulkToggle
• chore/undeprecate-instance-stats-endpoint
• chore/unleash-ai-healthtotechdebt-flag-cleanup
• chore/unleash-ai-registerfrontendclient-flag-cleanup
• chore/unleash-ai-reportunknownflags-flag-cleanup
• cr-uni
• create-user-transaction
• decouple-impact-metrics-from-request-logger
• enforce-deprecation-of-endpoints-in-dev
• event-group
• event-handler
• expand-resolver-interface-with-metrics
• export-impact-register
• expose-impact-metrics
• expose-impact-register
• feat/context-value-type
• feat/impact-metrics-frontend
• feat/impact-metrics-prometheus-config
• feat/ingest-impact-metrics
• feat/telemetryLicenseAndHostedInformation
• fix(1-3804)/store-flag-creation-form-state
• fix(1-3928)/prevent-overwriting-in-instance-store
• fix-coveralls-2
• fix-docker-compose-file
• fix-docker-image
• fix-fix-new-static-folder
• fix-frontend-api-cors
• fix-impact-metrics-resolver-signature
• fix-impact-metrics-undefined
• fix-new-static-folder
• fix-openapi-static
• fix-openapi-static-files
• fix-private-projects-visibility-for-editors-admins-through-group
• fix/coverage
• fix/flaky-lifecycle-test
• fix/healt-to-tech-debt-flag
• fix/health-to-techdebt-ui
• fix/remove-flag-useMemoizedActiveTokens
• fix/removeMd5UseSha256
• flag-removal-keep-registerFrontendClient-junie
• flag-removal-really-keep-registerFrontendClient-ws-swe1
• flag/1-3728
• gastonfournier-patch-1
• hackathon-2
• high-rps-metric-request-count
• impact-metrics-collection-e2e
• ky-migration
• lifecycle-graphs-flag
• lifecycle-trends-migration
• main
• master
• migration-event-group
• minor-details
• missing-parts-for-default-env-removal
• node-sdk-impact-metrics-env
• openapi-diff
• prefix-metrics-unleash-type
• prefix-unleash-metrics-labels
• prepare-for-default-env-removal
• print-out-10-unknown-flag-names
• push-mzynkmotlpzy
• query-group
• remove-console-log
• remove-coveralls-dependency
• remove-default-env-from-new-installs
• remove-deprecated-isAPI-from-user-schema
• remove-examples-references
• remove-flag-cleanupReminder
• remove-flag-removeInactiveApplications
• remove-flag-test
• remove-flags-featureLinks-projectLinkTemplates
• remove-impact-metrics-flag-guard
• remove-unknown-flag
• remove-user-ids-strategy
• renovate/actions-checkout-4.x
• renovate/actions-github-script-7.x
• renovate/aws-actions-configure-aws-credentials-4.x
• renovate/cors-2.x
• renovate/del-cli-6.x
• renovate/dpage-pgadmin4-9.x
• renovate/express-4.x
• renovate/express-session-1.x
• renovate/fetch-mock-12.x-lockfile
• renovate/make-fetch-happen-14.x
• renovate/memoizee-0.x
• renovate/mustache-4.x-lockfile
• renovate/pg-8.x
• renovate/pg-8.x-lockfile
• renovate/pg-connection-string-2.x-lockfile
• renovate/prom-client-15.x
• renovate/semver-7.x
• renovate/semver-7.x-lockfile
• renovate/slack-web-api-7.x-lockfile
• renovate/slug-11.x
• renovate/superagent-10.x
• renovate/supertest-6.x
• renovate/swc-monorepo
• renovate/tsc-watch-7.x
• renovate/type-is-2.x
• renovate/uuid-11.x
• reset-fb
• resolve-brace-expansion
• restore-feature
• rev-non-reactive
• revert-10150-chore/do-not-console-log
• run-npm-from-branch
• sanitize-metrics-labels-impact-metrics
• scim-user-deletion-audit
• search-user-events
• sort-id
• store-transaction-id
• support-id-event
• task/addCRRequestedApproversUpdatedEvent
• task/addEmailTemplateForRequestedCRApproval
• task/addFlagForCRApproverEmails
• task/addIEmailEnvelopeToExportedTypes
• task/addNotifiedAtToChangeRequestNotificationJoinTable
• task/addRequesterToApprovalMail
• task/addTableForRequestedApproversForChangeRequest
• task/bumpMinimumPostgresVersion
• task/bumpNodeVersionForOssContainer
• task/ciRemoveUnnecessaryNodeEnvSetting
• task/removeDeprecatedFeatureVariantEndpoint
• task/removeDeprecatedProjectEndpoint
• test-impact-metrics-e2e
• transaction-context
• translate-impact-metrics
• typo/errror
• ulid
• upgrade-node
• using-impact-metrics-with-flags
• validate-impact-metrics

Build # 21097719456

Build Type

push

github

Committed by web-flow

Commit Message

chore(deps): update dependency tar to v7.5.3 [security] (#11240)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [tar](https://redirect.github.com/isaacs/node-tar) | [`7.4.3` →
`7.5.3`](https://renovatebot.com/diffs/npm/tar/7.4.3/7.5.3) |
![age](https://developer.mend.io/api/mc/badges/age/npm/tar/7.5.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/tar/7.4.3/7.5.3?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-23745](https://redirect.github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97)

### Summary

The `node-tar` library (`<= 7.5.2`) fails to sanitize the `linkpath` of
`Link` (hardlink) and `SymbolicLink` entries when `preservePaths` is
false (the default secure behavior). This allows malicious archives to
bypass the extraction root restriction, leading to **Arbitrary File
Overwrite** via hardlinks and **Symlink Poisoning** via absolute symlink
targets.

### Details

The vulnerability exists in `src/unpack.ts` within the `[HARDLINK]` and
`[SYMLINK]` methods.

**1. Hardlink Escape (Arbitrary File Overwrite)**

The extraction logic uses `path.resolve(this.cwd, entry.linkpath)` to
determine the hardlink target. Standard Node.js behavior dictates that
if the second argument (`entry.linkpath`) is an **absolute path**,
`path.resolve` ignores the first argument (`this.cwd`) entirely and
returns the absolute path.

The library fails to validate that this resolved target remains within
the extraction root. A malicious archive can create a hardlink to a
sensitive file on the host (e.g., `/etc/passwd`) and subsequently write
to it, if file permissions allow writing to the target file, bypassing
path-based security measures that may be in place.

**2. Symlink Poisoning**

The extraction logic passes the user-supplied `entry.linkpath` directly
to `... (continued)

Run Details

1687 of 1897 branches covered (88.93%)

14259 of 16544 relevant lines covered (86.19%)

872.44 hits per line