tar-fs is vulnerable to Path Traversal
48
Medium Risk
The package’s tar extraction logic previously allowed crafted archives to escape the intended extraction directory (CWD) via path traversal and symlink tricks (including when using opts.strip), and could write through pre-existing symlinks. The patch adds explicit root-escape guards, rejects escaping symlinks, avoids following existing symlinks, and strips special permission bits (setuid/setgid/sticky) from extracted entries.
You are affected if you are using a version that falls within the vulnerable range.
tar-fs is vulnerable to Path Traversal in versions 3.0.0 - 3.1.2 and 0.5.1 - 2.1.4.
Upgrade the tar-fs library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant