deps: [email protected]

Author: wraithgar

node_modules/tar/dist/commonjs/index.min.js

@@ -283,7 +283,7 @@ class Unpack extends parse_js_1.Parser {
                 // `path.posix` is safe to use because we're operating on
                 // tar paths, not a filesystem.
                 const entryDir = node_path_1.default.posix.dirname(entry.path);
-                const resolved = node_path_1.default.posix.normalize(node_path_1.default.posix.join(entryDir, p));
+                const resolved = node_path_1.default.posix.normalize(node_path_1.default.posix.join(entryDir, parts.join('/')));
                 // If the resolved path escapes (starts with ..), reject it
                 if (resolved.startsWith('../') || resolved === '..') {
                     this.warn('TAR_ENTRY_ERROR', `${field} escapes extraction directory`, {

node_modules/tar/dist/commonjs/unpack.js

@@ -244,7 +244,7 @@ export class Unpack extends Parser {
                 // `path.posix` is safe to use because we're operating on
                 // tar paths, not a filesystem.
                 const entryDir = path.posix.dirname(entry.path);
-                const resolved = path.posix.normalize(path.posix.join(entryDir, p));
+                const resolved = path.posix.normalize(path.posix.join(entryDir, parts.join('/')));
                 // If the resolved path escapes (starts with ..), reject it
                 if (resolved.startsWith('../') || resolved === '..') {
                     this.warn('TAR_ENTRY_ERROR', `${field} escapes extraction directory`, {

node_modules/tar/dist/esm/index.min.js

@@ -2,7 +2,7 @@
   "author": "Isaac Z. Schlueter",
   "name": "tar",
   "description": "tar for node",
-  "version": "7.5.10",
+  "version": "7.5.11",
   "repository": {
     "type": "git",
     "url": "https://github.com/isaacs/node-tar.git"

node_modules/tar/dist/esm/unpack.js

@@ -142,7 +142,7 @@
         "spdx-expression-parse": "^4.0.0",
         "ssri": "^13.0.1",
         "supports-color": "^10.2.2",
-        "tar": "^7.5.10",
+        "tar": "^7.5.11",
         "text-table": "~0.2.0",
         "tiny-relative-date": "^2.0.2",
         "treeverse": "^3.0.0",
@@ -13437,9 +13437,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "7.5.10",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.10.tgz",
-      "integrity": "sha512-8mOPs1//5q/rlkNSPcCegA6hiHJYDmSLEI8aMH/CdSQJNWztHC9WHNam5zdQlfpTwB9Xp7IBEsHfV5LKMJGVAw==",
+      "version": "7.5.11",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz",
+      "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==",
       "inBundle": true,
       "license": "BlueOak-1.0.0",
       "dependencies": {

node_modules/tar/package.json

@@ -110,7 +110,7 @@
     "spdx-expression-parse": "^4.0.0",
     "ssri": "^13.0.1",
     "supports-color": "^10.2.2",
-    "tar": "^7.5.10",
+    "tar": "^7.5.11",
     "text-table": "~0.2.0",
     "tiny-relative-date": "^2.0.2",
     "treeverse": "^3.0.0",