Skip to content

Replace unmaintained decompress package with tar + fflate#32

Merged
tschneidereit merged 1 commit into
bytecodealliance:mainfrom
vavsab:fix/decompress-cve-use-tar
Jul 8, 2026
Merged

Replace unmaintained decompress package with tar + fflate#32
tschneidereit merged 1 commit into
bytecodealliance:mainfrom
vavsab:fix/decompress-cve-use-tar

Conversation

@vavsab

@vavsab vavsab commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Follows up on #30 / suggested by @tschneidereit.

Drops decompress / decompress-tar / decompress-unzip (GHSA-mp2f-45pm-3cg9) in favour of tar (isaacs/node-tar) for .tar.xz and fflate for .zip. Call-site semantics are unchanged.

npm audit reports 0 vulnerabilities.

@vavsab vavsab force-pushed the fix/decompress-cve-use-tar branch from d49a9bb to 77b466a Compare July 8, 2026 08:47
Drop `decompress` / `decompress-tar` / `decompress-unzip` in favour of
`tar` (isaacs/node-tar) for .tar and `fflate` for .zip.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@vavsab vavsab force-pushed the fix/decompress-cve-use-tar branch from 77b466a to e2b16a7 Compare July 8, 2026 08:50
@vavsab

vavsab commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@tschneidereit Please review. I am available to perform adjustments if needed

@tschneidereit tschneidereit changed the title npm: replace decompress with tar + fflate (fixes GHSA-mp2f-45pm-3cg9) Replace unmaintained decompress package with tar + fflate Jul 8, 2026

@tschneidereit tschneidereit left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, thank you!

@tschneidereit tschneidereit merged commit debcd07 into bytecodealliance:main Jul 8, 2026
11 checks passed
@vavsab vavsab deleted the fix/decompress-cve-use-tar branch July 8, 2026 13:21
@vavsab

vavsab commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@tschneidereit Thanks for merging! Anything I can do to help to create a new release here?
https://www.npmjs.com/package/@bytecodealliance/weval
I can create a PR to automate package publishing by using new Github Oauth trusted publishers that eliminate the need of using npm tokens.

@tschneidereit

Copy link
Copy Markdown
Member

That'd make sense to do, yes. Please take a look at bytecodealliance/wizer#143 for how wizer as an extremely similar project is doing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants