From 0f10ec963c883388f50621205fc78d6e1288d596 Mon Sep 17 00:00:00 2001
From: Joeri van Veen <joeri@myparcel.nl>
Date: Fri, 13 Mar 2026 14:46:33 +0100
Subject: [PATCH 1/2] fix(security): fix tar vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes ‘node-tar Symlink Path Traversal via Drive-Relative Linkpath’ by resolution to tar version 7.5.11 and up.
---
 package.json |  3 +++
 yarn.lock    | 57 ++++++++++++++++++++++++++++++++++++++++------------
 2 files changed, 47 insertions(+), 13 deletions(-)

diff --git a/package.json b/package.json
index 268eb12..3a73706 100644
--- a/package.json
+++ b/package.json
@@ -59,6 +59,9 @@
     ],
     "root": true
   },
+  "resolutions": {
+    "tar": "^7.5.11"
+  },
   "dependencies": {
     "@actions/core": "^1.11.1",
     "@actions/glob": "^0.4.0",
diff --git a/yarn.lock b/yarn.lock
index 45afa9b..c1c3fce 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -587,6 +587,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@isaacs/fs-minipass@npm:^4.0.0":
+  version: 4.0.1
+  resolution: "@isaacs/fs-minipass@npm:4.0.1"
+  dependencies:
+    minipass: "npm:^7.0.4"
+  checksum: 10c0/c25b6dc1598790d5b55c0947a9b7d111cfa92594db5296c3b907e2f533c033666f692a3939eadac17b1c7c40d362d0b0635dc874cbfe3e70db7c2b07cc97a5d2
+  languageName: node
+  linkType: hard
+
 "@isaacs/string-locale-compare@npm:^1.1.0":
   version: 1.1.0
   resolution: "@isaacs/string-locale-compare@npm:1.1.0"
@@ -3142,6 +3151,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"chownr@npm:^3.0.0":
+  version: 3.0.0
+  resolution: "chownr@npm:3.0.0"
+  checksum: 10c0/43925b87700f7e3893296c8e9c56cc58f926411cce3a6e5898136daaf08f08b9a8eb76d37d3267e707d0dcc17aed2e2ebdf5848c0c3ce95cf910a919935c1b10
+  languageName: node
+  linkType: hard
+
 "ci-info@npm:^3.2.0":
   version: 3.9.0
   resolution: "ci-info@npm:3.9.0"
@@ -4585,7 +4601,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"fs-minipass@npm:^2.0.0, fs-minipass@npm:^2.1.0":
+"fs-minipass@npm:^2.1.0":
   version: 2.1.0
   resolution: "fs-minipass@npm:2.1.0"
   dependencies:
@@ -6644,7 +6660,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"minizlib@npm:^2.1.1, minizlib@npm:^2.1.2":
+"minizlib@npm:^2.1.2":
   version: 2.1.2
   resolution: "minizlib@npm:2.1.2"
   dependencies:
@@ -6654,7 +6670,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"mkdirp@npm:^1.0.3, mkdirp@npm:^1.0.4":
+"minizlib@npm:^3.1.0":
+  version: 3.1.0
+  resolution: "minizlib@npm:3.1.0"
+  dependencies:
+    minipass: "npm:^7.1.2"
+  checksum: 10c0/5aad75ab0090b8266069c9aabe582c021ae53eb33c6c691054a13a45db3b4f91a7fb1bd79151e6b4e9e9a86727b522527c0a06ec7d45206b745d54cd3097bcec
+  languageName: node
+  linkType: hard
+
+"mkdirp@npm:^1.0.4":
   version: 1.0.4
   resolution: "mkdirp@npm:1.0.4"
   bin:
@@ -9164,17 +9189,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar@npm:^6.1.11, tar@npm:^6.1.13, tar@npm:^6.1.2, tar@npm:^6.2.0, tar@npm:^6.2.1":
-  version: 6.2.1
-  resolution: "tar@npm:6.2.1"
+"tar@npm:^7.5.11":
+  version: 7.5.11
+  resolution: "tar@npm:7.5.11"
   dependencies:
-    chownr: "npm:^2.0.0"
-    fs-minipass: "npm:^2.0.0"
-    minipass: "npm:^5.0.0"
-    minizlib: "npm:^2.1.1"
-    mkdirp: "npm:^1.0.3"
-    yallist: "npm:^4.0.0"
-  checksum: 10c0/a5eca3eb50bc11552d453488344e6507156b9193efd7635e98e867fab275d527af53d8866e2370cd09dfe74378a18111622ace35af6a608e5223a7d27fe99537
+    "@isaacs/fs-minipass": "npm:^4.0.0"
+    chownr: "npm:^3.0.0"
+    minipass: "npm:^7.1.2"
+    minizlib: "npm:^3.1.0"
+    yallist: "npm:^5.0.0"
+  checksum: 10c0/b6bb420550ef50ef23356018155e956cd83282c97b6128d8d5cfe5740c57582d806a244b2ef0bf686a74ce526babe8b8b9061527623e935e850008d86d838929
   languageName: node
   linkType: hard
 
@@ -10036,6 +10060,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"yallist@npm:^5.0.0":
+  version: 5.0.0
+  resolution: "yallist@npm:5.0.0"
+  checksum: 10c0/a499c81ce6d4a1d260d4ea0f6d49ab4da09681e32c3f0472dee16667ed69d01dae63a3b81745a24bd78476ec4fcf856114cb4896ace738e01da34b2c42235416
+  languageName: node
+  linkType: hard
+
 "yaml@npm:^2.7.0":
   version: 2.8.0
   resolution: "yaml@npm:2.8.0"

From 3b976f1e70ccd7018ab65bc3e5def38af824cf07 Mon Sep 17 00:00:00 2001
From: Joeri van Veen <joeri@myparcel.nl>
Date: Mon, 16 Mar 2026 10:59:50 +0100
Subject: [PATCH 2/2] fix: pin version

---
 package.json | 10 +++++-----
 yarn.lock    |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/package.json b/package.json
index 3a73706..e9b8df3 100644
--- a/package.json
+++ b/package.json
@@ -60,7 +60,7 @@
     "root": true
   },
   "resolutions": {
-    "tar": "^7.5.11"
+    "tar": "7.5.11"
   },
   "dependencies": {
     "@actions/core": "^1.11.1",
@@ -90,12 +90,12 @@
     "typescript": "^5.8.3",
     "vitest": "^2.1.9"
   },
-  "packageManager": "yarn@4.9.2",
+  "packageManager": "yarn@4.12.0",
   "engines": {
-    "node": "^20.19.4"
+    "node": "24.14.0"
   },
   "volta": {
-    "node": "20.19.4",
-    "yarn": "4.9.2"
+    "node": "24.14.0",
+    "yarn": "4.12.0"
   }
 }
diff --git a/yarn.lock b/yarn.lock
index c1c3fce..89db315 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -9189,7 +9189,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar@npm:^7.5.11":
+"tar@npm:7.5.11":
   version: 7.5.11
   resolution: "tar@npm:7.5.11"
   dependencies: