Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): Bump tar from 6.1.11 to 6.2.1 #262

Merged
merged 1 commit into from
Apr 24, 2024
Merged

chore(deps): Bump tar from 6.1.11 to 6.2.1 #262

merged 1 commit into from
Apr 24, 2024

Conversation

EelcoLos
Copy link
Contributor

@EelcoLos EelcoLos commented Apr 24, 2024
edited
Loading

This PR is a request to fix the "Denial of service while parsing a tar file due to lack of folders count validation"

This Dependabot Moderate issue is also visible at GHSA-f5x3-32g6-xq36

these are displayed in : CWE-400

PR on forked branch: Brink-Software#28

below is cited from Dependabot:

Bumps tar from 6.1.11 to 6.2.1.

Release notes

Sourced from tar's releases.

v6.1.13

6.1.13 (2022-12-07)

Dependencies

v6.1.12

6.1.12 (2022-10-31)

Bug Fixes

Documentation

Changelog

Sourced from tar's changelog.

Changelog

7.0

  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

6.2

  • Add support for brotli compression
  • Add maxDepth option to prevent extraction into excessively deep folders.

6.1

6.0

  • Drop support for node 6 and 8
  • fix symlinks and hardlinks on windows being packed with \-style path targets

5.0

  • Address unpack race conditions using path reservations
  • Change large-numbers errors from TypeError to Error
  • Add TAR_* error codes
  • Raise TAR_BAD_ARCHIVE warning/error when there are no valid entries found in an archive
  • do not treat ignored entries as an invalid archive
  • drop support for node v4
  • unpack: conditionally use a file mapping to write files on Windows
  • Set more portable 'mode' value in portable mode
  • Set portable gzip option in portable mode

... (truncated)

Commits

@dependabot
chore(deps): Bump tar from 6.1.11 to 6.2.1
e44df19 
Bumps [tar](https://github.com/isaacs/node-tar) from 6.1.11 to 6.2.1.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.1.11...v6.2.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@amannn
Copy link
Owner

amannn commented Apr 24, 2024

Thank you!

@amannn amannn merged commit 9a90d5a into amannn:main Apr 24, 2024
27 checks passed
@github-actions GitHub Actions
Copy link

🎉 This PR is included in version 5.5.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/tar-6.2.1 branch April 24, 2024 16:50
FlipEnergy added a commit to gorgias/action-semantic-pull-request that referenced this pull request Aug 29, 2024
@FlipEnergy @bcaurel
@amannn @semantic-release-bot @EelcoLos @dependabot @gustavkj @garysassano
chore(ops): Update fork and Readme about how gorgians should use it (#2)
0e60fe4 
* feat: Add outputs for `type`, `scope` and `subject` (amannn#261 by @bcaurel)

* Update validatePrTitle.js

* Update README.md

* Update README.md

---------

Co-authored-by: Jan Amann <[email protected]>

* chore: Release 5.5.0 [skip ci]

* fix: Bump ip from 2.0.0 to 2.0.1 (amannn#263 by @EelcoLos)

Bumps [ip](https://github.com/indutny/node-ip) from 2.0.0 to 2.0.1.
- [Commits](indutny/node-ip@v2.0.0...v2.0.1)

---
updated-dependencies:
- dependency-name: ip
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Release 5.5.1 [skip ci]

* fix: Bump tar from 6.1.11 to 6.2.1 (amannn#262 by @EelcoLos)

Bumps [tar](https://github.com/isaacs/node-tar) from 6.1.11 to 6.2.1.
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.1.11...v6.2.1)

---
updated-dependencies:
- dependency-name: tar
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore: Release 5.5.2 [skip ci]

* chore: Update major tag (amannn#268 by @gustavkj)

* chore(deps): Bump braces from 3.0.2 to 3.0.3 (amannn#269 by @EelcoLos)

* fix: Bump `braces` dependency (amannn#269. by @EelcoLos)

* chore: Release 5.5.3 [skip ci]

* docs: Mention `reopened` trigger in README (amannn#272 by @garysassano)

* feat(ops): Update readme to reflect how gorgians should use

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Brandon Caurel <[email protected]>
Co-authored-by: Jan Amann <[email protected]>
Co-authored-by: semantic-release-bot <[email protected]>
Co-authored-by: Eelco Los <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Gustav Utterheim <[email protected]>
Co-authored-by: Jan Amann <[email protected]>
Co-authored-by: Gary Sassano <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@EelcoLos @amannn