Skip to content

deps(NODE-7106): pin [email protected] in lockfile #4618

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 13, 2025
Merged

deps(NODE-7106): pin [email protected] in lockfile #4618

merged 1 commit into from
Aug 13, 2025

Conversation

kreeksec
Copy link

@kreeksec kreeksec commented Aug 13, 2025
edited
Loading

tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside the specified dir with a specific tarball. This has been patched in versions 3.0.9, 2.1.3, and 1.16.5. As a workaround, use the ignore option to ignore non files/directories.

Fill in title or leave empty for no highlight

Double check the following

  • Ran npm run check:lint script
  • Self-review completed using the steps outlined here
  • PR title follows the correct format: type(NODE-xxxx)[!]: description
    • Example: feat(NODE-1234)!: rewriting everything in coffeescript
  • Changes are covered by tests
  • New TODOs have a related JIRA ticket

@kreeksec kreeksec requested a review from a team as a code owner August 13, 2025 05:49
@dariakp dariakp changed the title fix(deps): tar-fs can extract outside the specified dir with a specific tarball chore(NODE-7106): tar-fs can extract outside the specified dir with a specific tarball Aug 13, 2025
@dariakp dariakp added External Submission PR submitted from outside the team dependencies Pull requests that update a dependency file tracked-in-jira Ticket filed in MongoDB's Jira system labels Aug 13, 2025
@baileympearson baileympearson self-assigned this Aug 13, 2025
@baileympearson baileympearson changed the title chore(NODE-7106): tar-fs can extract outside the specified dir with a specific tarball deps(NODE-7106): tar-fs can extract outside the specified dir with a specific tarball Aug 13, 2025
@baileympearson baileympearson added the Primary Review In Review with primary reviewer, not yet ready for team's eyes label Aug 13, 2025
@baileympearson baileympearson changed the title deps(NODE-7106): tar-fs can extract outside the specified dir with a specific tarball deps(NODE-7106): pin [email protected] in lockfile Aug 13, 2025
@baileympearson baileympearson merged commit 33d340e into mongodb:main Aug 13, 2025
17 of 31 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@baileympearson baileympearson baileympearson approved these changes

Assignees

@baileympearson baileympearson

Labels

dependencies Pull requests that update a dependency file External Submission PR submitted from outside the team Primary Review In Review with primary reviewer, not yet ready for team's eyes tracked-in-jira Ticket filed in MongoDB's Jira system

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kreeksec @baileympearson @dariakp