From fec021a178833e2132000ec32fcac9795e0d4920 Mon Sep 17 00:00:00 2001
From: Teodor Ciuraru <teodor.ciuraru@ditto.live>
Date: Mon, 29 Sep 2025 16:02:18 +0300
Subject: [PATCH] fix: update tar-fs to 3.1.1 to resolve security vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Resolves CVE-2025-59343 - symlink validation bypass vulnerability in tar-fs

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 package.json | 2 +-
 yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index ec92c4a..1952b47 100644
--- a/package.json
+++ b/package.json
@@ -40,7 +40,7 @@
     "react-dom": ">=16.0.0"
   },
   "resolutions": {
-    "tar-fs": "3.0.9"
+    "tar-fs": "3.1.1"
   },
   "devDependencies": {
     "@dittolive/ditto": "^4.0.0",
diff --git a/yarn.lock b/yarn.lock
index 592c112..8af45ce 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -6057,10 +6057,10 @@ synckit@^0.9.1:
     "@pkgr/core" "^0.1.0"
     tslib "^2.6.2"
 
-tar-fs@3.0.9, tar-fs@^3.0.6:
-  version "3.0.9"
-  resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-3.0.9.tgz#d570793c6370d7078926c41fa422891566a0b617"
-  integrity sha512-XF4w9Xp+ZQgifKakjZYmFdkLoSWd34VGKcsTCwlNWM7QG3ZbaxnTsaBwnjFZqHRf/rROxaR8rXnbtwdvaDI+lA==
+tar-fs@3.1.1, tar-fs@^3.0.6:
+  version "3.1.1"
+  resolved "https://registry.yarnpkg.com/tar-fs/-/tar-fs-3.1.1.tgz#4f164e59fb60f103d472360731e8c6bb4a7fe9ef"
+  integrity sha512-LZA0oaPOc2fVo82Txf3gw+AkEd38szODlptMYejQUhndHMLQ9M059uXR+AfS7DNo0NpINvSqDsvyaCrBVkptWg==
   dependencies:
     pump "^3.0.0"
     tar-stream "^3.1.5"