Bump tar from 7.5.9 to 7.5.11

[dependabot]

Bumps tar from 7.5.9 to 7.5.11.

Commits

• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• 7bc755d parse root off paths before sanitizing .. parts
• c8cb846 update deps
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[ecobitai]

Dependency Verification: APPROVED

tar 7.5.9 → 7.5.11 (patch)

Summary

• CI: No CI checks configured
• Risk: Low - transitive dependency with no direct usage
• Security: Addresses CVE-2026-23745 (High severity, CVSS 8.2)

Security Context

This update includes security patches for CVE-2026-23745 - an arbitrary file overwrite and symlink poisoning vulnerability:

• Affected: tar <= 7.5.2
• Patched: 7.5.3+
• 7.5.10: Fixes root path sanitization for .. parts
• 7.5.11: Prevents escaping symlinks with drive-relative paths

Usage Analysis

• Direct dependency: No (not in package.json)
• Transitive dependency: Yes (likely via npm/node-gyp or build tooling)
• Codebase usage: None found - no require('tar') or import from 'tar'

Risk Assessment

• ✅ Patch version bump (backward compatible)
• ✅ No direct usage in application code
• ✅ Security-focused release with no breaking changes
• ✅ npm itself is unaffected by this vulnerability (filters Link/SymbolicLink entries)

Recommendation: Safe to merge. This is a security hardening update for a transitive dependency.

Technical Details

Property	Value
Classifier Tier	standard
Tier Reasoning	Security advisory updates require investigation and verification regardless of patch version, and absence of CI checks prevents automated safety confirmation.
Verdict	APPROVE
Model	z-ai/glm-5-20260211
Iterations	4
Reasoning	enabled
Duration	59.2s
Auto-Verify	enabled
Auto-Approve Level	major
Auto-Merge Level	off

Tokens	Count	Cost
Input	44,467	$0.0356
Output	1,380	$0.0035
Total		$0.0391

Classifier overhead: 371 tokens ($0.0006)

Tools: shell, search_web, fetch_url

⚡️ Trace Log

🔷 Executed:

#!/bin/bash
# Check if tar is a direct dependency or transitive
cat package.json 2>/dev/null | jq '{dependencies: .dependencies, devDependencies: .devDependencies}' 2>/dev/null || echo "No package.json found"

# Search for direct usage of tar in source files
rg -n "require\s*\(\s*['\"]tar['\"]\s*\)" -g "*.js" -g "*.ts" -g "*.mjs" -g "*.cjs" 2>/dev/null || echo "No require found"
rg -n "from\s+['\"]tar['\"]" -g "*.js" -g "*.ts" -g "*.mjs" -g "*.cjs" 2>/dev/null || echo "No import found"
rg -n "import\s+.*\s+from\s+['\"]tar['\"]" -g "*.js" -g "*.ts" -g "*.mjs" -g "*.cjs" 2>/dev/null || echo "No ES import found"

Length of output: 614 chars

{
  "dependencies": {
    "@tailwindcss/vite": "^4.1.10",
    "react": "^19.1.0",
    "react-dom": "^19.1.0",
    "tailwindcss": "^4.1.10"
  },
  "devDependencies": {
    "@eslint/js": "^9.25.0",
    "@types/node": "^24.10.0",
    "@types/react": "^19.1.2",
    "@types/react-dom": "^19.1.2",
    "@vitejs/plugin-react": "^4.4.1",
    "eslint": "^9.25.0",
    "eslint-plugin-react-hooks": "^5.2.0",
    "eslint-plugin-react-refresh": "^0.4.19",
    "globals": "^16.0.0",
    "typescript": "~5.8.3",
 ...

---

🔷 Executed:

search_web(query="node-tar 7.5.11 security vulnerability symlink", max_results=5)

Length of output: 2352 chars

Found 5 results for "node-tar 7.5.11 security vulnerability symlink":

1. CVE-2026-23745: Fix node-tar Arbitrary File Overwrite Vulnerability
   https://foresiet.com/blog/cve-2026-23745-node-tar-vulnerability-fix/
   CVE-2026-23745 is a high-severity path traversal flaw in node-tar (the tar library for Node.js). Versions ≤7.5.2 <strong>fail to sanitize linkpath in hardlink and symlink entries when preservePaths is false</strong> (default secure mode).

2. Insufficient Link Path Sanitization · Ad...

---

🔷 Executed:

fetch_url(url="https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97")

Length of output: 1789 chars

*Content from https://github.com/isaacs/node-tar/security/advisories/GHSA-8qq5-rm4j-mr97:*

# Security Advisory Summary: node-tar Insufficient Link Path Sanitization

## Vulnerability Overview
- **Package:** npm tar
- **Severity:** High (CVSS 8.2/10)
- **CVE ID:** CVE-2026-23745
- **Affected Versions:** <= 7.5.2
- **Patched Version:** 7.5.3
- **Published:** January 16, 2026

## Vulnerability Details

The node-tar library fails to properly sanitize the `linkpath` field in Link (hardlink) and Symb...