Skip to content

fix: update tar-fs to 3.0.9 to resolve security vulnerability#75

Merged
teodorciuraru merged 1 commit intomasterfrom
teodor/sdks-1483-getdittoreact-ditto-has-a-high-severity-vulnerability-in-tar
Aug 15, 2025
Merged

fix: update tar-fs to 3.0.9 to resolve security vulnerability#75
teodorciuraru merged 1 commit intomasterfrom
teodor/sdks-1483-getdittoreact-ditto-has-a-high-severity-vulnerability-in-tar

Conversation

@teodorciuraru
Copy link
Contributor

@teodorciuraru teodorciuraru commented Aug 14, 2025

Summary

• Updates tar-fs resolution from 3.0.8 to 3.0.9 to fix CVE-2025-48387
• Fixes high severity vulnerability that allows extraction outside specified directory
• All builds and tests pass with the updated dependency

Test plan

  • Build passes locally (npm run build)
  • All tests pass locally (yarn test)
  • Verified tar-fs is now at version 3.0.9
  • No breaking changes detected

🤖 Generated with Claude Code

@claude
fix: update tar-fs to 3.0.9 to resolve security vulnerability
d57a13e 
Updates tar-fs from 3.0.8 to 3.0.9 to fix CVE-2025-48387, a high severity
vulnerability that allows extraction outside the specified directory.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@teodorciuraru teodorciuraru requested a review from Copilot August 14, 2025 15:57
@teodorciuraru teodorciuraru self-assigned this Aug 14, 2025
@teodorciuraru teodorciuraru added the dependencies Pull requests that update a dependency file label Aug 14, 2025
Copilot AI reviewed Aug 14, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Updates the tar-fs dependency resolution from version 3.0.8 to 3.0.9 to address a high severity security vulnerability (CVE-2025-48387) that could allow file extraction outside the intended directory.

  • Updates tar-fs version in package.json resolutions
  • Addresses security vulnerability CVE-2025-48387
  • Maintains compatibility with existing codebase

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@teodorciuraru teodorciuraru merged commit be5433a into master Aug 15, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@nickrobinson nickrobinson nickrobinson approved these changes

@pvditto pvditto Awaiting requested review from pvditto

Assignees

@teodorciuraru teodorciuraru

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@teodorciuraru @nickrobinson