[Security] tar ≤7.5.10 transitive dependency in uniwind-pro has 7 known vulnerabilities (2 high severity)

[dacoto]

What happened?

The tar package (≤7.5.10), a transitive dependency of uniwind-pro, has 7 known vulnerabilities (5 low, 2 high severity) flagged by npm audit:

• [HIGH] Arbitrary File Creation/Overwrite via Hardlink Path Traversal — GHSA-34x7-hfp2-rc4v
• [HIGH] Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization — GHSA-8qq5-rm4j-mr97
• Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain — GHSA-83g3-92jg-28cx
• Hardlink Path Traversal via Drive-Relative Linkpath — GHSA-qffp-2rhf-9h96
• Symlink Path Traversal via Drive-Relative Linkpath — GHSA-9ppj-qmqm-q256
• Race Condition via Unicode Ligature Collisions on macOS APFS — GHSA-r6q2-hw4h-h46w

The fix suggested by npm (npm audit fix --force) would install undefined@undefined, indicating no safe upgrade path exists without uniwind-pro updating its own dependency.

Steps to Reproduce

1. Install uniwind-pro in any project
2. Run npm audit
3. Observe 7 vulnerabilities reported in node_modules/tar, pulled in by node_modules/uniwind

Snack or Repository Link

https://github.com/dacoto/transportam-app

Uniwind version

1.0.0-rc.6

React Native Version

0.83.2

Platforms

Android, iOS

Expo

Yes

Additional information

• I've searched for similar issues in this repository and found none

[jpudysz]

Thank you @dacoto for this. I bumped tar from 7.5.2 to 7.5.13 as it fixes all these vulnerabilities.

Will be available in next release (1-2 days)!

[jpudysz]

Released in RC.7