deps: tar@6.2.1

node_modules/tar/lib/unpack.js

@@ -48,6 +48,7 @@ const crypto = require('crypto')
 const getFlag = require('./get-write-flag.js')
 const platform = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform
 const isWindows = platform === 'win32'
+const DEFAULT_MAX_DEPTH = 1024
 
 // Unlinks on Windows are not atomic.
 //
@@ -181,6 +182,12 @@ class Unpack extends Parser {
     this.processGid = (this.preserveOwner || this.setOwner) && process.getgid ?
       process.getgid() : null
 
+    // prevent excessively deep nesting of subfolders
+    // set to `Infinity` to remove this restriction
+    this.maxDepth = typeof opt.maxDepth === 'number'
+      ? opt.maxDepth
+      : DEFAULT_MAX_DEPTH
+
     // mostly just for testing, but useful in some cases.
     // Forcibly trigger a chown on every entry, no matter what
     this.forceChown = opt.forceChown === true
@@ -238,13 +245,13 @@ class Unpack extends Parser {
   }
 
   [CHECKPATH] (entry) {
+    const p = normPath(entry.path)
+    const parts = p.split('/')
+
     if (this.strip) {
-      const parts = normPath(entry.path).split('/')
       if (parts.length < this.strip) {
         return false
       }
-      entry.path = parts.slice(this.strip).join('/')
-
       if (entry.type === 'Link') {
         const linkparts = normPath(entry.linkpath).split('/')
         if (linkparts.length >= this.strip) {
@@ -253,11 +260,21 @@ class Unpack extends Parser {
           return false
         }
       }
+      parts.splice(0, this.strip)
+      entry.path = parts.join('/')
+    }
+
+    if (isFinite(this.maxDepth) && parts.length > this.maxDepth) {
+      this.warn('TAR_ENTRY_ERROR', 'path excessively deep', {
+        entry,
+        path: p,
+        depth: parts.length,
+        maxDepth: this.maxDepth,
+      })
+      return false
     }
 
     if (!this.preservePaths) {
-      const p = normPath(entry.path)
-      const parts = p.split('/')
       if (parts.includes('..') || isWindows && /^[a-z]:\.\.$/i.test(parts[0])) {
         this.warn('TAR_ENTRY_ERROR', `path contains '..'`, {
           entry,

node_modules/tar/package.json

@@ -2,7 +2,7 @@
   "author": "GitHub Inc.",
   "name": "tar",
   "description": "tar for node",
-  "version": "6.2.0",
+  "version": "6.2.1",
   "repository": {
     "type": "git",
     "url": "https://github.com/isaacs/node-tar.git"

package-lock.json

@@ -151,7 +151,7 @@
         "spdx-expression-parse": "^3.0.1",
         "ssri": "^10.0.5",
         "supports-color": "^9.4.0",
-        "tar": "^6.2.0",
+        "tar": "^6.2.1",
         "text-table": "~0.2.0",
         "tiny-relative-date": "^1.3.0",
         "treeverse": "^3.0.0",
@@ -14808,9 +14808,9 @@
       }
     },
     "node_modules/tar": {
-      "version": "6.2.0",
-      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.0.tgz",
-      "integrity": "sha512-/Wo7DcT0u5HUV486xg675HtjNd3BXZ6xDbzsCUZPt5iw8bTQ63bP0Raut3mvro9u+CUyq7YQd8Cx55fsZXxqLQ==",
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz",
+      "integrity": "sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A==",
       "inBundle": true,
       "dependencies": {
         "chownr": "^2.0.0",
@@ -16153,7 +16153,7 @@
         "minimatch": "^9.0.4",
         "npm-package-arg": "^11.0.1",
         "pacote": "^17.0.4",
-        "tar": "^6.2.0"
+        "tar": "^6.2.1"
       },
       "devDependencies": {
         "@npmcli/eslint-config": "^4.0.0",

package.json

@@ -114,7 +114,7 @@
     "spdx-expression-parse": "^3.0.1",
     "ssri": "^10.0.5",
     "supports-color": "^9.4.0",
-    "tar": "^6.2.0",
+    "tar": "^6.2.1",
     "text-table": "~0.2.0",
     "tiny-relative-date": "^1.3.0",
     "treeverse": "^3.0.0",

workspaces/libnpmdiff/package.json

@@ -54,7 +54,7 @@
     "minimatch": "^9.0.4",
     "npm-package-arg": "^11.0.1",
     "pacote": "^17.0.4",
-    "tar": "^6.2.0"
+    "tar": "^6.2.1"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",