Update dependency tar to v7 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
tar	^6.1.2 → ^7.0.0
tar	^6.0.5 → ^7.0.0

GitHub Vulnerability Alerts

CVE-2026-26960

Summary

tar.extract() in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outside the extraction root, using default options.

This enables arbitrary file read and write as the extracting user (no root, no chmod, no preservePaths).

Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive.

Details

The bypass chain uses two symlinks plus one hardlink:

1. a/b/c/up -> ../..
2. a/b/escape -> c/up/../..
3. exfil (hardlink) -> a/b/escape/<target-relative-to-parent-of-extract>

Why this works:

• Linkpath checks are string-based and do not resolve symlinks on disk for hardlink target safety.

  • See STRIPABSOLUTEPATH logic in:
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:255
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:268
    • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:281

• Hardlink extraction resolves target as path.resolve(cwd, entry.linkpath) and then calls fs.link(target, destination).

  • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:566
  • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:567
  • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:703

• Parent directory safety checks (mkdir + symlink detection) are applied to the destination path of the extracted entry, not to the resolved hardlink target path.

  • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:617
  • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/unpack.js:619
  • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:27
  • ../tar-audit-setuid - CVE/node_modules/tar/dist/commonjs/mkdir.js:101

As a result, exfil is created inside extraction root but linked to an external file. The PoC confirms shared inode and successful read+write via exfil.

PoC

hardlink.js
Environment used for validation:

• Node: v25.4.0
• tar: 7.5.7
• OS: macOS Darwin 25.2.0
• Extract options: defaults (tar.extract({ file, cwd }))

Steps:

1. Prepare/locate a tar module. If require('tar') is not available locally, set TAR_MODULE to an absolute path to a tar package directory.

2. Run:

TAR_MODULE="$(cd '../tar-audit-setuid - CVE/node_modules/tar' && pwd)" node hardlink.js

3. Expected vulnerable output (key lines):

same_inode=true
read_ok=true
write_ok=true
result=VULNERABLE

Interpretation:

• same_inode=true: extracted exfil and external secret are the same file object.
• read_ok=true: reading exfil leaks external content.
• write_ok=true: writing exfil modifies external file.

Impact

Vulnerability type:

• Arbitrary file read/write via archive extraction path confusion and link resolution.

Who is impacted:

• Any application/service that extracts attacker-controlled tar archives with Node tar defaults.
• Impact scope is the privileges of the extracting process user.

Potential outcomes:

• Read sensitive files reachable by the process user.
• Overwrite writable files outside extraction root.
• Escalate impact depending on deployment context (keys, configs, scripts, app data).

---

Release Notes

isaacs/node-tar (tar)

v7.5.8

Compare Source

v7.5.7

Compare Source

v7.5.6

Compare Source

v7.5.5

Compare Source

v7.5.4

Compare Source

v7.5.3

Compare Source

v7.5.2

Compare Source

v7.5.1

Compare Source

v7.5.0

Compare Source

v7.4.4

Compare Source

v7.4.3

Compare Source

v7.4.2

Compare Source

v7.4.1

Compare Source

v7.4.0

Compare Source

v7.3.0

Compare Source

v7.2.0

Compare Source

v7.1.0

Compare Source

v7.0.1

Compare Source

v7.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[confused-Techie]

Luckily I've just done @pulsar-edit/ls-archive, so I know exactly what needs to be done to fix things here.

May make a PR later today that bumps this dep while the tar codebase is fresh in my mind.

[confused-Techie]

Well I take it back, the errors here stem from bumping tar via our resolutions field which bumps it in our copy of npm-cli, which is what's actually breaking.

So any fixes would actually need to be applied there, or otherwise we would have to revisit if that's all still needed now that we are on a modern NodeJS version.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[DeeDeeG]

I updated the workaround for this sort of "engines" field check, which we previously needed to do only for Node 14. Now we may as well do the workaround for Node 16 as well, since tar v7 claims support only for Node 18+.

Should let CI progress far enough to see if we get actual test failures or if anything blows up.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.