Security
Fixes a crafted archive being able to read or write files outside the extraction directory:
- Validate symlink and hardlink targets against the output directory
- Replace the prefix-based containment check with
path.relative, fixing a sibling-directory bypass - Strip setuid, setgid, and sticky bits from extracted files
Advisory: GHSA-mp2f-45pm-3cg9 (CVE-2026-53486)
Other changes
- Write regular files before hardlinks so a hardlink to an extracted file resolves
- Internal refactoring of the extraction code
Full changelog: v11.1.2...v11.1.3