Skip to content

chore(deps): Bump tar-fs to 3.1.1 #5412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 27, 2025
Merged

chore(deps): Bump tar-fs to 3.1.1 #5412

merged 1 commit into from
Nov 27, 2025

Conversation

@antonis
Copy link
Contributor

@antonis antonis commented Nov 27, 2025
edited
Loading

📢 Type of change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring

📜 Description

Bump tar-fs to 3.1.1 to fix the following security issues:

  • tar-fs can extract outside the specified dir with a specific tarball
  • tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
  • tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

💡 Motivation and Context

Security warnings

💚 How did you test it?

CI, Manual check with the sample app

📝 Checklist

  • I added tests to verify changes
  • No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
  • I updated the docs if needed.
  • I updated the wizard if needed.
  • All tests passing
  • No breaking changes

🔮 Next steps

#skip-changelog

@antonis antonis added the ready-to-merge Triggers the full CI test suite label Nov 27, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 27, 2025

Android (legacy) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 505.52 ms 539.44 ms 33.92 ms
Size 43.75 MiB 48.05 MiB 4.29 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
8d89cc9+dirty 537.83 ms 536.02 ms -1.81 ms
ea3e26e+dirty 498.02 ms 532.90 ms 34.88 ms
7480abe+dirty 411.60 ms 405.81 ms -5.78 ms
d861c16+dirty 336.96 ms 349.14 ms 12.18 ms
20daa0a 359.51 ms 374.90 ms 15.39 ms
8a4ce6f 422.88 ms 408.33 ms -14.55 ms
69602ce 417.47 ms 443.52 ms 26.05 ms
ba75c7c 367.72 ms 369.16 ms 1.44 ms
1226664+dirty 347.45 ms 386.60 ms 39.15 ms
b7aa1aa+dirty 324.73 ms 327.76 ms 3.03 ms

App size

Revision Plain With Sentry Diff
8d89cc9+dirty 17.75 MiB 19.68 MiB 1.94 MiB
ea3e26e+dirty 43.75 MiB 47.99 MiB 4.24 MiB
7480abe+dirty 17.75 MiB 19.68 MiB 1.94 MiB
d861c16+dirty 17.75 MiB 19.70 MiB 1.96 MiB
20daa0a 17.75 MiB 20.15 MiB 2.41 MiB
8a4ce6f 17.75 MiB 19.68 MiB 1.94 MiB
69602ce 17.75 MiB 19.68 MiB 1.94 MiB
ba75c7c 17.75 MiB 20.15 MiB 2.41 MiB
1226664+dirty 17.75 MiB 19.74 MiB 1.99 MiB
b7aa1aa+dirty 17.75 MiB 19.75 MiB 2.00 MiB

@github-actions
Copy link
Contributor

github-actions bot commented Nov 27, 2025

Android (new) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 439.02 ms 479.48 ms 40.46 ms
Size 43.94 MiB 48.87 MiB 4.93 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
1e7a472+dirty 319.58 ms 372.29 ms 52.71 ms
c94a927+dirty 411.32 ms 443.18 ms 31.86 ms
ea3e26e+dirty 399.98 ms 448.36 ms 48.38 ms
5ee3314+dirty 358.69 ms 394.00 ms 35.31 ms
8d89cc9+dirty 357.69 ms 415.79 ms 58.10 ms
07808fb+dirty 392.47 ms 451.94 ms 59.47 ms
5c16cdc+dirty 375.45 ms 426.62 ms 51.17 ms
3bd3f0d+dirty 334.38 ms 402.19 ms 67.81 ms
0b64753+dirty 358.55 ms 429.16 ms 70.61 ms
459a438+dirty 359.50 ms 390.53 ms 31.03 ms

App size

Revision Plain With Sentry Diff
1e7a472+dirty 7.15 MiB 8.43 MiB 1.28 MiB
c94a927+dirty 7.15 MiB 8.43 MiB 1.28 MiB
ea3e26e+dirty 43.94 MiB 48.82 MiB 4.88 MiB
5ee3314+dirty 7.15 MiB 8.43 MiB 1.28 MiB
8d89cc9+dirty 7.15 MiB 8.41 MiB 1.26 MiB
07808fb+dirty 7.15 MiB 8.43 MiB 1.28 MiB
5c16cdc+dirty 7.15 MiB 8.41 MiB 1.26 MiB
3bd3f0d+dirty 7.15 MiB 8.43 MiB 1.28 MiB
0b64753+dirty 7.15 MiB 8.42 MiB 1.27 MiB
459a438+dirty 7.15 MiB 8.42 MiB 1.27 MiB

@github-actions
Copy link
Contributor

github-actions bot commented Nov 27, 2025

iOS (legacy) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 1217.70 ms 1220.22 ms 2.52 ms
Size 3.41 MiB 4.59 MiB 1.18 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
88890fe+dirty 1219.20 ms 1231.00 ms 11.80 ms
7be1f99+dirty 1226.69 ms 1217.76 ms -8.93 ms
276d348+dirty 1224.22 ms 1227.38 ms 3.16 ms
93137d1+dirty 1230.73 ms 1230.98 ms 0.25 ms
128ee72+dirty 1218.16 ms 1219.18 ms 1.03 ms
46e3d54+dirty 1216.40 ms 1210.47 ms -5.93 ms
eb07ba3+dirty 1222.46 ms 1220.37 ms -2.08 ms
0b64753+dirty 1232.49 ms 1226.96 ms -5.53 ms
d861c16+dirty 1231.94 ms 1242.32 ms 10.38 ms
49ef936+dirty 1228.42 ms 1217.09 ms -11.33 ms

App size

Revision Plain With Sentry Diff
88890fe+dirty 2.63 MiB 4.00 MiB 1.37 MiB
7be1f99+dirty 2.63 MiB 3.81 MiB 1.18 MiB
276d348+dirty 2.63 MiB 3.98 MiB 1.34 MiB
93137d1+dirty 2.63 MiB 3.99 MiB 1.35 MiB
128ee72+dirty 3.41 MiB 4.58 MiB 1.17 MiB
46e3d54+dirty 3.41 MiB 4.58 MiB 1.17 MiB
eb07ba3+dirty 2.63 MiB 3.81 MiB 1.18 MiB
0b64753+dirty 2.63 MiB 3.98 MiB 1.35 MiB
d861c16+dirty 2.63 MiB 4.00 MiB 1.36 MiB
49ef936+dirty 2.63 MiB 3.98 MiB 1.34 MiB

@github-actions
Copy link
Contributor

github-actions bot commented Nov 27, 2025

iOS (new) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 1209.02 ms 1215.58 ms 6.56 ms
Size 3.41 MiB 4.59 MiB 1.18 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
88890fe+dirty 1219.00 ms 1222.08 ms 3.08 ms
7be1f99+dirty 1222.43 ms 1217.15 ms -5.28 ms
276d348+dirty 1222.10 ms 1229.02 ms 6.92 ms
93137d1+dirty 1232.69 ms 1245.18 ms 12.49 ms
128ee72+dirty 1204.73 ms 1205.02 ms 0.29 ms
46e3d54+dirty 1213.17 ms 1216.33 ms 3.17 ms
eb07ba3+dirty 1214.49 ms 1221.59 ms 7.10 ms
0b64753+dirty 1225.77 ms 1232.98 ms 7.21 ms
d861c16+dirty 1226.00 ms 1223.35 ms -2.65 ms
49ef936+dirty 1221.27 ms 1221.60 ms 0.34 ms

App size

Revision Plain With Sentry Diff
88890fe+dirty 3.19 MiB 4.57 MiB 1.38 MiB
7be1f99+dirty 3.19 MiB 4.38 MiB 1.19 MiB
276d348+dirty 3.19 MiB 4.54 MiB 1.36 MiB
93137d1+dirty 3.19 MiB 4.55 MiB 1.37 MiB
128ee72+dirty 3.41 MiB 4.58 MiB 1.17 MiB
46e3d54+dirty 3.41 MiB 4.58 MiB 1.17 MiB
eb07ba3+dirty 3.19 MiB 4.38 MiB 1.19 MiB
0b64753+dirty 3.19 MiB 4.55 MiB 1.36 MiB
d861c16+dirty 3.19 MiB 4.56 MiB 1.38 MiB
49ef936+dirty 3.19 MiB 4.54 MiB 1.36 MiB

@antonis antonis marked this pull request as ready for review November 27, 2025 10:32
lucas-zimerman
lucas-zimerman approved these changes Nov 27, 2025
View reviewed changes
Copy link
Collaborator

@lucas-zimerman lucas-zimerman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@antonis antonis merged commit fdbea8b into main Nov 27, 2025
116 of 121 checks passed
@antonis antonis deleted the antonis/bump-tar-fs branch November 27, 2025 11:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lucas-zimerman lucas-zimerman lucas-zimerman approved these changes

@alwx alwx Awaiting requested review from alwx alwx is a code owner

Assignees

No one assigned

Labels

ready-to-merge Triggers the full CI test suite

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@antonis @lucas-zimerman