[Security] Bump tar-fs from 2.1.1 to 2.1.2 (!209) · Merge requests · tools / chat

Bumps tar-fs from 2.1.1 to 2.1.2. This update includes a security fix.

Vulnerabilities fixed

tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File
An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). This vulnerability occurs when extracting a maliciously crafted tar file, which can result in unauthorized file writes or overwrites outside the intended extraction directory. The issue is associated with index.js in the tar-fs package.

This issue affects tar-fs: from 0.0.0 before 1.16.4, from 2.0.0 before 2.1.2, from 3.0.0 before 3.0.7.

Patched versions: 3.0.8; 2.1.2; 1.16.4
Affected versions: >= 3.0.0, = 2.0.0, < 2.1.2; < 1.16.4

Commits

d97731b 2.1.2
fd1634e symlink tweak from main
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump tar-fs from 2.1.1 to 2.1.2

Merge request reports