Skip to content

Fix GHSA-mp2f-45pm-3cg9 by migrating to @xhmikosr/decompress#30

Closed
vavsab wants to merge 1 commit into
bytecodealliance:mainfrom
vavsab:fix/decompress-cve-2026-53486
Closed

Fix GHSA-mp2f-45pm-3cg9 by migrating to @xhmikosr/decompress#30
vavsab wants to merge 1 commit into
bytecodealliance:mainfrom
vavsab:fix/decompress-cve-2026-53486

Conversation

@vavsab

@vavsab vavsab commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Fixes #29GHSA-mp2f-45pm-3cg9.

  • decompress@^4.2.1@xhmikosr/decompress@^11.1.3
  • decompress-tar@^4.1.1@xhmikosr/decompress-tar@^9.0.1
  • decompress-unzip@^4.0.1@xhmikosr/decompress-unzip@^8.1.1
  • engines.node >=16>=20 (required by @xhmikosr/decompress@11; can drop to >=18 with the ^10.2.1 line if preferred)

Call site unchanged (same default-export API). Verified locally with weval's exact decompress(buf, dir, { strip: 1, plugins: [unzip(), tar()], filter }) call against a real tar.

The upstream `decompress` package is unmaintained and every version
through 4.2.1 is vulnerable to GHSA-mp2f-45pm-3cg9 / CVE-2026-53486
(critical, CVSS 9.1): path traversal, hard/symlink escape, and setuid-bit
preservation during archive extraction. The advisory itself recommends
migrating to the maintained `@xhmikosr/decompress` fork (patched at
11.1.3), which keeps the same default-export API and ships matching
`@xhmikosr/decompress-tar` / `@xhmikosr/decompress-unzip` plugins.

- Swap three deps in `npm/weval/package.json`.
- Update imports in `npm/weval/index.js` — call site unchanged.
- Bump `engines.node` from `>=16` to `>=20` (required by
  `@xhmikosr/decompress@11`).

Verified locally with weval's exact call site
(`decompress(buf, dir, { strip: 1, plugins: [unzip(), tar()], filter })`)
against a real tar archive — extraction succeeds and the filter still
picks out the binary.
@vavsab

vavsab commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

Friendly ping @cfallin @andreiltd @vados-cosmonic — would you be able to merge and cut a release when you get a chance? This is the only remaining source of the critical decompress CVE for downstreams. Thanks!

@cfallin

cfallin commented Jul 7, 2026

Copy link
Copy Markdown
Member

I am currently on PTO (monitoring email) this week and traveling next week. I can take a closer look after that. On first pass, randomly-named fork plus pressure to merge sets off some yellow flags for me (see xz supply-chain attack), and the decompressor is used only to unpack GitHub release artifacts which are trusted, so I want to be cautious here. I'll ping some others in Bytecode Alliance to make them aware as well.

@tschneidereit

Copy link
Copy Markdown
Member

I agree with Chris: we definitely can't take a dependency on a fork with very little usage and almost no dependents for such a core piece of functionality. That'd be true even if our use of decompress was of potentially untrusted contents, but since that's additionally not the case, I don't see reason for particular urgency in fixing things here.

@vavsab if you do need a fix, you could look at updating the code to make use of something like tar or minizlib instead.

@vavsab

vavsab commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

@tschneidereit Do you mean that I am welcome to contribute here to replace decompress with tar?

@tschneidereit

Copy link
Copy Markdown
Member

@vavsab absolutely, yes. At a quick glance that should be a pretty straightforward change that I'd be happy to sign off on.

@vavsab vavsab deleted the fix/decompress-cve-2026-53486 branch July 8, 2026 08:32
vavsab added a commit to vavsab/weval that referenced this pull request Jul 8, 2026
Drop the unmaintained `decompress` / `decompress-tar` / `decompress-unzip`
stack (path-traversal CVE GHSA-mp2f-45pm-3cg9) in favour of well-maintained,
widely-audited alternatives as suggested by @tschneidereit in bytecodealliance#30:

- `tar` (isaacs/node-tar) for `.tar` extraction (Linux/macOS path)
- `fflate` (pure-JS, zero native deps) for `.zip` extraction (Windows path)

xz decompression is unchanged (still `@napi-rs/lzma`). Call site semantics
are identical: strip the leading directory, keep only the `weval` binary.

`npm audit` reports 0 vulnerabilities after the change.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: transitive decompress is unmaintained and vulnerable (GHSA-mp2f-45pm-3cg9 / CVE-2026-53486, CVSS 9.1)

3 participants