Skip to content

SDKS-1679: Fix tar-fs security vulnerability CVE-2025-59343#76

Merged
teodorciuraru merged 1 commit intomasterfrom
teodorciuraru/sdks-1679-react-ditto-has-a-high-severity-vulnerability-in-tar-fs
Sep 29, 2025
Merged

SDKS-1679: Fix tar-fs security vulnerability CVE-2025-59343#76
teodorciuraru merged 1 commit intomasterfrom
teodorciuraru/sdks-1679-react-ditto-has-a-high-severity-vulnerability-in-tar-fs

Conversation

@teodorciuraru
Copy link
Contributor

@teodorciuraru teodorciuraru commented Sep 29, 2025
edited
Loading

Summary

  • Updated tar-fs from 3.0.9 to 3.1.1 to resolve CVE-2025-59343
  • This fixes a symlink validation bypass vulnerability in tar-fs

Details

The tar-fs package versions >= 3.0.0 and < 3.1.1 had a vulnerability that could allow symlink validation bypass if the destination directory is predictable with a specific tarball.

Test plan

  • Run yarn install to update dependencies
  • Run yarn audit to verify the vulnerability is resolved
  • Run yarn test to ensure all tests pass
  • Run yarn build to verify the build succeeds

🤖 Generated with Claude Code

@claude
fix: update tar-fs to 3.1.1 to resolve security vulnerability
fec021a 
Resolves CVE-2025-59343 - symlink validation bypass vulnerability in tar-fs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@teodorciuraru teodorciuraru self-assigned this Sep 29, 2025
Copilot AI reviewed Sep 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the tar-fs package from version 3.0.9 to 3.1.1 to resolve a critical security vulnerability (CVE-2025-59343) that could allow symlink validation bypass in predictable destination directories.

  • Security dependency update to patch CVE-2025-59343
  • Version bump from 3.0.9 to 3.1.1 in package resolutions
  • Addresses symlink validation bypass vulnerability

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@teodorciuraru teodorciuraru marked this pull request as ready for review September 29, 2025 13:05
@teodorciuraru teodorciuraru merged commit df5cb70 into master Sep 29, 2025
1 check passed
@teodorciuraru teodorciuraru deleted the teodorciuraru/sdks-1679-react-ditto-has-a-high-severity-vulnerability-in-tar-fs branch September 29, 2025 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pvditto pvditto pvditto approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@teodorciuraru teodorciuraru

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@teodorciuraru @pvditto

Comments