Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: node-modules/compressing
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: master
Choose a base ref
...
head repository: node-modules/compressing
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 1.x
Choose a head ref
Checking mergeability… Don’t worry, you can still create the pull request.
  • 10 commits
  • 10 files changed
  • 2 contributors

Commits on Aug 9, 2025

  1. chore: start 1.x branch

    @fengmk2
    fengmk2 committed Aug 9, 2025
    Configuration menu
    Copy the full SHA
    6f936e0 View commit details
    Browse the repository at this point in the history

  2. chore: typo fix on branch

    @fengmk2
    fengmk2 committed Aug 9, 2025
    Configuration menu
    Copy the full SHA
    41a5eae View commit details
    Browse the repository at this point in the history

  3. chore: support auto merge queue 

    [skip ci]
    @fengmk2
    fengmk2 committed Aug 9, 2025
    Configuration menu
    Copy the full SHA
    f2344e7 View commit details
    Browse the repository at this point in the history

Commits on Jan 27, 2026

  1. chore: add warnning message

    @fengmk2
    fengmk2 committed Jan 27, 2026
    Configuration menu
    Copy the full SHA
    2368a03 View commit details
    Browse the repository at this point in the history

  2. chore: add permissions to auto release

    @fengmk2
    fengmk2 committed Jan 27, 2026
    Configuration menu
    Copy the full SHA
    01acc46 View commit details
    Browse the repository at this point in the history

Commits on Jan 28, 2026

  1. fix: prevent arbitrary file write via symlink extraction (#133) 

    Add path traversal and symlink escape protection to prevent malicious
TAR/TGZ archives from writing files outside the extraction directory.

- Add isPathWithinParent() validation function
- Validate all entry paths stay within destination directory
- Validate symlink targets don't escape extraction directory
- Skip malicious entries with warning messages


GHSA-cc8f-xg8v-72m3

pick from
ce1c013
    @fengmk2
    fengmk2 authored Jan 28, 2026
    Configuration menu
    Copy the full SHA
    8d16c19 View commit details
    Browse the repository at this point in the history

  2. Release 1.10.4 

    [skip ci]

## <small>1.10.4 (2026-01-28)</small>

* fix: prevent arbitrary file write via symlink extraction (#133) ([8d16c19](8d16c19)), closes [#133](#133)
* chore: add permissions to auto release ([01acc46](01acc46))
* chore: add warnning message ([2368a03](2368a03))
* chore: start 1.x branch ([6f936e0](6f936e0))
* chore: support auto merge queue ([f2344e7](f2344e7))
* chore: typo fix on branch ([41a5eae](41a5eae))
    @semantic-release-bot
    semantic-release-bot committed Jan 28, 2026
    Configuration menu
    Copy the full SHA
    1c1b725 View commit details
    Browse the repository at this point in the history

Commits on Apr 13, 2026

  1. fix: prevent symlink path traversal via pre-existing symlinks during … 

    …tar extraction

Add isRealPathSafe() that walks each path segment using lstat to detect
when a pre-existing symlink on disk would cause a file write outside the
extraction directory. This mitigates GHSA-4c3q-x735-j3r5 where a
crafted tar with ordered entries (symlink then file through that symlink)
could escape the destination.

Also extracts createTarBuffer helper to shared test/util.js.

Closes GHSA-4c3q-x735-j3r5
    @fengmk2
    fengmk2 committed Apr 13, 2026
    Configuration menu
    Copy the full SHA
    18def23 View commit details
    Browse the repository at this point in the history

  2. Release 1.10.5 

    [skip ci]

## <small>1.10.5 (2026-04-13)</small>

* fix: prevent symlink path traversal via pre-existing symlinks during tar extraction ([18def23](18def23))
    @semantic-release-bot
    semantic-release-bot committed Apr 13, 2026
    Configuration menu
    Copy the full SHA
    40d5f1f View commit details
    Browse the repository at this point in the history

  3. chore: replace var with let/const in isRealPathSafe (#135) 

    ## Summary
- Replace `var` with `let`/`const` in `isRealPathSafe()` in
`lib/utils.js` to fix 6 eslint `no-var` errors introduced by the
GHSA-4c3q-x735-j3r5 fix.

## Test plan
- [x] `npm run lint` passes with 0 errors
    @fengmk2
    fengmk2 authored Apr 13, 2026
    Configuration menu
    Copy the full SHA
    60fa3af View commit details
    Browse the repository at this point in the history
Loading