Fix GHSA-mp2f-45pm-3cg9 by migrating to @xhmikosr/decompress#30
Conversation
The upstream `decompress` package is unmaintained and every version through 4.2.1 is vulnerable to GHSA-mp2f-45pm-3cg9 / CVE-2026-53486 (critical, CVSS 9.1): path traversal, hard/symlink escape, and setuid-bit preservation during archive extraction. The advisory itself recommends migrating to the maintained `@xhmikosr/decompress` fork (patched at 11.1.3), which keeps the same default-export API and ships matching `@xhmikosr/decompress-tar` / `@xhmikosr/decompress-unzip` plugins. - Swap three deps in `npm/weval/package.json`. - Update imports in `npm/weval/index.js` — call site unchanged. - Bump `engines.node` from `>=16` to `>=20` (required by `@xhmikosr/decompress@11`). Verified locally with weval's exact call site (`decompress(buf, dir, { strip: 1, plugins: [unzip(), tar()], filter })`) against a real tar archive — extraction succeeds and the filter still picks out the binary.
|
Friendly ping @cfallin @andreiltd @vados-cosmonic — would you be able to merge and cut a release when you get a chance? This is the only remaining source of the critical |
|
I am currently on PTO (monitoring email) this week and traveling next week. I can take a closer look after that. On first pass, randomly-named fork plus pressure to merge sets off some yellow flags for me (see xz supply-chain attack), and the decompressor is used only to unpack GitHub release artifacts which are trusted, so I want to be cautious here. I'll ping some others in Bytecode Alliance to make them aware as well. |
|
I agree with Chris: we definitely can't take a dependency on a fork with very little usage and almost no dependents for such a core piece of functionality. That'd be true even if our use of @vavsab if you do need a fix, you could look at updating the code to make use of something like tar or minizlib instead. |
|
@tschneidereit Do you mean that I am welcome to contribute here to replace decompress with tar? |
|
@vavsab absolutely, yes. At a quick glance that should be a pretty straightforward change that I'd be happy to sign off on. |
Drop the unmaintained `decompress` / `decompress-tar` / `decompress-unzip` stack (path-traversal CVE GHSA-mp2f-45pm-3cg9) in favour of well-maintained, widely-audited alternatives as suggested by @tschneidereit in bytecodealliance#30: - `tar` (isaacs/node-tar) for `.tar` extraction (Linux/macOS path) - `fflate` (pure-JS, zero native deps) for `.zip` extraction (Windows path) xz decompression is unchanged (still `@napi-rs/lzma`). Call site semantics are identical: strip the leading directory, keep only the `weval` binary. `npm audit` reports 0 vulnerabilities after the change. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fixes #29 — GHSA-mp2f-45pm-3cg9.
decompress@^4.2.1→@xhmikosr/decompress@^11.1.3decompress-tar@^4.1.1→@xhmikosr/decompress-tar@^9.0.1decompress-unzip@^4.0.1→@xhmikosr/decompress-unzip@^8.1.1engines.node>=16→>=20(required by@xhmikosr/decompress@11; can drop to>=18with the^10.2.1line if preferred)Call site unchanged (same default-export API). Verified locally with weval's exact
decompress(buf, dir, { strip: 1, plugins: [unzip(), tar()], filter })call against a real tar.