tar - npm Package Compare versions

Comparing version 7.5.7 to 7.5.8

dist/commonjs/process-umask.d.ts

+export declare const umask: () => number;
+//# sourceMappingURL=process-umask.d.ts.map

dist/commonjs/process-umask.d.ts.map

+{"version":3,"file":"process-umask.d.ts","sourceRoot":"","sources":["../../src/process-umask.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,KAAK,cAAwB,CAAA"}

dist/commonjs/process-umask.js

+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.umask = void 0;
+// separate file so I stop getting nagged in vim about deprecated API.
+const umask = () => process.umask();
+exports.umask = umask;
+//# sourceMappingURL=process-umask.js.map

dist/commonjs/process-umask.js.map

+{"version":3,"file":"process-umask.js","sourceRoot":"","sources":["../../src/process-umask.ts"],"names":[],"mappings":";;;AAAA,sEAAsE;AAC/D,MAAM,KAAK,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,CAAA;AAA7B,QAAA,KAAK,SAAwB","sourcesContent":["// separate file so I stop getting nagged in vim about deprecated API.\nexport const umask = () => process.umask()\n"]}

dist/esm/process-umask.d.ts

+export declare const umask: () => number;
+//# sourceMappingURL=process-umask.d.ts.map

dist/esm/process-umask.d.ts.map

+{"version":3,"file":"process-umask.d.ts","sourceRoot":"","sources":["../../src/process-umask.ts"],"names":[],"mappings":"AACA,eAAO,MAAM,KAAK,cAAwB,CAAA"}

dist/esm/process-umask.js

+// separate file so I stop getting nagged in vim about deprecated API.
+export const umask = () => process.umask();
+//# sourceMappingURL=process-umask.js.map

dist/esm/process-umask.js.map

+{"version":3,"file":"process-umask.js","sourceRoot":"","sources":["../../src/process-umask.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,MAAM,CAAC,MAAM,KAAK,GAAG,GAAG,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,CAAA","sourcesContent":["// separate file so I stop getting nagged in vim about deprecated API.\nexport const umask = () => process.umask()\n"]}

dist/commonjs/unpack.d.ts

@@ -8,2 +8,3 @@ import { type Stats } from 'node:fs';
 import { WarnData } from './warn-method.js';
+import { SymlinkError } from './symlink-error.js';
 declare const ONENTRY: unique symbol;
@@ -19,2 +20,3 @@ declare const CHECKFS: unique symbol;
 declare const HARDLINK: unique symbol;
+declare const ENSURE_NO_SYMLINK: unique symbol;
 declare const UNSUPPORTED: unique symbol;
@@ -80,2 +82,3 @@ declare const CHECKPATH: unique symbol;
     [HARDLINK](entry: ReadEntry, done: () => void): void;
+    [ENSURE_NO_SYMLINK](entry: ReadEntry, cwd: string, parts: string[], done: () => void, onError: (er: SymlinkError) => void): void;
     [PEND](): void;
@@ -97,2 +100,3 @@ [UNPEND](): void;
     [MKDIR](dir: string, mode: number): unknown;
+    [ENSURE_NO_SYMLINK](_entry: ReadEntry, cwd: string, parts: string[], done: () => void, onError: (er: SymlinkError) => void): void;
     [LINK](entry: ReadEntry, linkpath: string, link: 'link' | 'symlink', done: () => void): void;
@@ -99,0 +103,0 @@ }

dist/commonjs/unpack.js

@@ -57,2 +57,4 @@ "use strict";
 const path_reservations_js_1 = require("./path-reservations.js");
+const symlink_error_js_1 = require("./symlink-error.js");
+const process_umask_js_1 = require("./process-umask.js");
 const ONENTRY = Symbol('onEntry');
@@ -68,2 +70,3 @@ const CHECKFS = Symbol('checkFs');
 const HARDLINK = Symbol('hardlink');
+const ENSURE_NO_SYMLINK = Symbol('ensureNoSymlink');
 const UNSUPPORTED = Symbol('unsupported');
@@ -231,3 +234,3 @@ const CHECKPATH = Symbol('checkPath');
                 : typeof opt.processUmask === 'number' ? opt.processUmask
-                    : process.umask();
+                    : (0, process_umask_js_1.umask)();
         this.umask =
@@ -307,2 +310,3 @@ typeof opt.umask === 'number' ? opt.umask : this.processUmask;
     }
+    // no IO, just string checking for absolute indicators
     [CHECKPATH](entry) {
@@ -568,8 +572,30 @@ const p = (0, normalize_windows_path_js_1.normalizeWindowsPath)(entry.path);
     [SYMLINK](entry, done) {
-        this[LINK](entry, String(entry.linkpath), 'symlink', done);
+        const parts = (0, normalize_windows_path_js_1.normalizeWindowsPath)(node_path_1.default.relative(this.cwd, node_path_1.default.resolve(node_path_1.default.dirname(String(entry.absolute)), String(entry.linkpath)))).split('/');
+        this[ENSURE_NO_SYMLINK](entry, this.cwd, parts, () => this[LINK](entry, String(entry.linkpath), 'symlink', done), er => {
+            this[ONERROR](er, entry);
+            done();
+        });
     }
     [HARDLINK](entry, done) {
         const linkpath = (0, normalize_windows_path_js_1.normalizeWindowsPath)(node_path_1.default.resolve(this.cwd, String(entry.linkpath)));
-        this[LINK](entry, linkpath, 'link', done);
+        const parts = (0, normalize_windows_path_js_1.normalizeWindowsPath)(String(entry.linkpath)).split('/');
+        this[ENSURE_NO_SYMLINK](entry, this.cwd, parts, () => this[LINK](entry, linkpath, 'link', done), er => {
+            this[ONERROR](er, entry);
+            done();
+        });
     }
+    [ENSURE_NO_SYMLINK](entry, cwd, parts, done, onError) {
+        const p = parts.shift();
+        if (this.preservePaths || p === undefined)
+            return done();
+        const t = node_path_1.default.resolve(cwd, p);
+        node_fs_1.default.lstat(t, (er, st) => {
+            if (er)
+                return done();
+            if (st?.isSymbolicLink()) {
+                return onError(new symlink_error_js_1.SymlinkError(t, node_path_1.default.resolve(t, parts.join('/'))));
+            }
+            this[ENSURE_NO_SYMLINK](entry, t, parts, done, onError);
+        });
+    }
     [PEND]() {
@@ -707,3 +733,2 @@ this[PENDING]++;
     [LINK](entry, linkpath, link, done) {
-        // XXX: get the type ('symlink' or 'junction') for windows
         node_fs_1.default[link](linkpath, String(entry.absolute), er => {
@@ -910,6 +935,21 @@ if (er) {
     }
+    [ENSURE_NO_SYMLINK](_entry, cwd, parts, done, onError) {
+        if (this.preservePaths || !parts.length)
+            return done();
+        let t = cwd;
+        for (const p of parts) {
+            t = node_path_1.default.resolve(t, p);
+            const [er, st] = callSync(() => node_fs_1.default.lstatSync(t));
+            if (er)
+                return done();
+            if (st.isSymbolicLink()) {
+                return onError(new symlink_error_js_1.SymlinkError(t, node_path_1.default.resolve(cwd, parts.join('/'))));
+            }
+        }
+        done();
+    }
     [LINK](entry, linkpath, link, done) {
-        const ls = `${link}Sync`;
+        const linkSync = `${link}Sync`;
         try {
-            node_fs_1.default[ls](linkpath, String(entry.absolute));
+            node_fs_1.default[linkSync](linkpath, String(entry.absolute));
             done();
@@ -916,0 +956,0 @@ entry.resume();

dist/esm/unpack.d.ts

@@ -8,2 +8,3 @@ import { type Stats } from 'node:fs';
 import { WarnData } from './warn-method.js';
+import { SymlinkError } from './symlink-error.js';
 declare const ONENTRY: unique symbol;
@@ -19,2 +20,3 @@ declare const CHECKFS: unique symbol;
 declare const HARDLINK: unique symbol;
+declare const ENSURE_NO_SYMLINK: unique symbol;
 declare const UNSUPPORTED: unique symbol;
@@ -80,2 +82,3 @@ declare const CHECKPATH: unique symbol;
     [HARDLINK](entry: ReadEntry, done: () => void): void;
+    [ENSURE_NO_SYMLINK](entry: ReadEntry, cwd: string, parts: string[], done: () => void, onError: (er: SymlinkError) => void): void;
     [PEND](): void;
@@ -97,2 +100,3 @@ [UNPEND](): void;
     [MKDIR](dir: string, mode: number): unknown;
+    [ENSURE_NO_SYMLINK](_entry: ReadEntry, cwd: string, parts: string[], done: () => void, onError: (er: SymlinkError) => void): void;
     [LINK](entry: ReadEntry, linkpath: string, link: 'link' | 'symlink', done: () => void): void;
@@ -99,0 +103,0 @@ }

dist/esm/unpack.js

@@ -18,2 +18,4 @@ // the PEND/UNPEND stuff tracks whether we're ready to emit end/close yet.
 import { PathReservations } from './path-reservations.js';
+import { SymlinkError } from './symlink-error.js';
+import { umask } from './process-umask.js';
 const ONENTRY = Symbol('onEntry');
@@ -29,2 +31,3 @@ const CHECKFS = Symbol('checkFs');
 const HARDLINK = Symbol('hardlink');
+const ENSURE_NO_SYMLINK = Symbol('ensureNoSymlink');
 const UNSUPPORTED = Symbol('unsupported');
@@ -192,3 +195,3 @@ const CHECKPATH = Symbol('checkPath');
                 : typeof opt.processUmask === 'number' ? opt.processUmask
-                    : process.umask();
+                    : umask();
         this.umask =
@@ -268,2 +271,3 @@ typeof opt.umask === 'number' ? opt.umask : this.processUmask;
     }
+    // no IO, just string checking for absolute indicators
     [CHECKPATH](entry) {
@@ -529,8 +533,30 @@ const p = normalizeWindowsPath(entry.path);
     [SYMLINK](entry, done) {
-        this[LINK](entry, String(entry.linkpath), 'symlink', done);
+        const parts = normalizeWindowsPath(path.relative(this.cwd, path.resolve(path.dirname(String(entry.absolute)), String(entry.linkpath)))).split('/');
+        this[ENSURE_NO_SYMLINK](entry, this.cwd, parts, () => this[LINK](entry, String(entry.linkpath), 'symlink', done), er => {
+            this[ONERROR](er, entry);
+            done();
+        });
     }
     [HARDLINK](entry, done) {
         const linkpath = normalizeWindowsPath(path.resolve(this.cwd, String(entry.linkpath)));
-        this[LINK](entry, linkpath, 'link', done);
+        const parts = normalizeWindowsPath(String(entry.linkpath)).split('/');
+        this[ENSURE_NO_SYMLINK](entry, this.cwd, parts, () => this[LINK](entry, linkpath, 'link', done), er => {
+            this[ONERROR](er, entry);
+            done();
+        });
     }
+    [ENSURE_NO_SYMLINK](entry, cwd, parts, done, onError) {
+        const p = parts.shift();
+        if (this.preservePaths || p === undefined)
+            return done();
+        const t = path.resolve(cwd, p);
+        fs.lstat(t, (er, st) => {
+            if (er)
+                return done();
+            if (st?.isSymbolicLink()) {
+                return onError(new SymlinkError(t, path.resolve(t, parts.join('/'))));
+            }
+            this[ENSURE_NO_SYMLINK](entry, t, parts, done, onError);
+        });
+    }
     [PEND]() {
@@ -668,3 +694,2 @@ this[PENDING]++;
     [LINK](entry, linkpath, link, done) {
-        // XXX: get the type ('symlink' or 'junction') for windows
         fs[link](linkpath, String(entry.absolute), er => {
@@ -870,6 +895,21 @@ if (er) {
     }
+    [ENSURE_NO_SYMLINK](_entry, cwd, parts, done, onError) {
+        if (this.preservePaths || !parts.length)
+            return done();
+        let t = cwd;
+        for (const p of parts) {
+            t = path.resolve(t, p);
+            const [er, st] = callSync(() => fs.lstatSync(t));
+            if (er)
+                return done();
+            if (st.isSymbolicLink()) {
+                return onError(new SymlinkError(t, path.resolve(cwd, parts.join('/'))));
+            }
+        }
+        done();
+    }
     [LINK](entry, linkpath, link, done) {
-        const ls = `${link}Sync`;
+        const linkSync = `${link}Sync`;
         try {
-            fs[ls](linkpath, String(entry.absolute));
+            fs[linkSync](linkpath, String(entry.absolute));
             done();
@@ -876,0 +916,0 @@ entry.resume();

package.json

@@ -5,3 +5,3 @@ {
   "description": "tar for node",
-  "version": "7.5.7",
+  "version": "7.5.8",
   "repository": {
@@ -8,0 +8,0 @@ "type": "git",

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 4 instances in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Fixed alerts

Deprecated

Maintenance

The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.

Found 1 instance in 1 package

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 4 instances in 1 package

Filesystem access

Supply chain risk

Accesses the file system, and could potentially read sensitive data.

Found 1 instance in 1 package

Long strings

Supply chain risk

Contains long string literals, which may be a sign of obfuscated or packed code.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

1271384

1.2%

Number of package files

245

3.38%

Lines of code

12016

0.82%

Number of medium maintenance alerts

0

-100%

Worsened metrics

Number of low supply chain risk alerts

54

3.85%

No dependency changes