Comparing version 4.4.18 to 4.4.19
@@ -526,9 +526,9 @@ 'use strict' | ||
| // is any of its children. | ||
| // If a symbolic link is encountered on Windows, all bets are off. | ||
| // There is no reasonable way to sanitize the cache in such a way | ||
| // we will be able to avoid having filesystem collisions. If this | ||
| // happens with a non-symlink entry, it'll just fail to unpack, | ||
| // but a symlink to a directory, using an 8.3 shortname, can evade | ||
| // detection and lead to arbitrary writes to anywhere on the system. | ||
| if (isWindows && entry.type === 'SymbolicLink') | ||
| // If a symbolic link is encountered, all bets are off. There is no | ||
| // reasonable way to sanitize the cache in such a way we will be able to | ||
| // avoid having filesystem collisions. If this happens with a non-symlink | ||
| // entry, it'll just fail to unpack, but a symlink to a directory, using an | ||
| // 8.3 shortname or certain unicode attacks, can evade detection and lead | ||
| // to arbitrary writes to anywhere on the system. | ||
| if (entry.type === 'SymbolicLink') | ||
| dropCache(this.dirCache) | ||
@@ -535,0 +535,0 @@ else if (entry.type !== 'Directory') |
@@ -5,3 +5,3 @@ { | ||
| "description": "tar for node", | ||
| "version": "4.4.18", | ||
| "version": "4.4.19", | ||
| "publishConfig": { | ||
@@ -8,0 +8,0 @@ "tag": "v4-legacy" |
No alert changes
Improved metrics
- Total package byte prevSize
150649
No dependency changes