v10.2.1
Backport the v11.1.3 security fixes to v10.x:
- Validate symlink and hardlink targets against the output directory
- Replace the prefix-based containment check with
path.relative, fixing a sibling-directory bypass - Strip setuid, setgid, and sticky bits from extracted files
Advisory: GHSA-mp2f-45pm-3cg9 (CVE-2026-53486)
Full Changelog: v10.2.0...v10.2.1