From 34cc060a78c8cdbfe160f27d4f3e8478bf323c69 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Tue, 21 Apr 2026 17:47:53 -0400
Subject: [PATCH] =?UTF-8?q?fix(deps):=20bump=20nanotar=200.2.0=20=E2=86=92?=
 =?UTF-8?q?=200.2.1=20to=20patch=20path=20traversal=20(CVE-2025-69874)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nanotar <= 0.2.0 is vulnerable to path traversal in parseTar() and parseTarGzip() (GHSA-92fh-27vv-894w, CVE-2025-69874, medium). Upstream shipped 0.2.1 as a backport patch alongside 0.3.0; 0.2.1 keeps us on the minor line with only the path-sanitization fix applied (unjs/nanotar#58).

Dependabot alert: https://github.com/SocketDev/socket-cli/security/dependabot/97
---
 pnpm-lock.yaml      | 15 +++++++--------
 pnpm-workspace.yaml |  2 +-
 2 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index a2e59ee11..adc83df24 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -199,8 +199,8 @@ catalogs:
       specifier: 5.5.0
       version: 5.5.0
     nanotar:
-      specifier: 0.2.0
-      version: 0.2.0
+      specifier: 0.2.1
+      version: 0.2.1
     nock:
       specifier: 14.0.10
       version: 14.0.10
@@ -496,7 +496,7 @@ importers:
         version: 5.5.0
       nanotar:
         specifier: 'catalog:'
-        version: 0.2.0
+        version: 0.2.1
       nock:
         specifier: 'catalog:'
         version: 14.0.10
@@ -725,7 +725,7 @@ importers:
         version: 4.0.8
       nanotar:
         specifier: 'catalog:'
-        version: 0.2.0
+        version: 0.2.1
       npm-package-arg:
         specifier: 13.0.0
         version: 13.0.0
@@ -2151,7 +2151,6 @@ packages:
 
   '@socketaddon/iocraft@file:packages/package-builder/build/dev/out/socketaddon-iocraft':
     resolution: {directory: packages/package-builder/build/dev/out/socketaddon-iocraft, type: directory}
-    engines: {node: '>=18'}
 
   '@socketregistry/es-set-tostringtag@1.0.10':
     resolution: {integrity: sha512-btXmvw1JpA8WtSoXx9mTapo9NAyIDKRRzK84i48d8zc0X09M6ORfobVnHbgwhXf7CFhkRzhYrHG9dqbI9vpELQ==}
@@ -3484,8 +3483,8 @@ packages:
     engines: {node: ^10 || ^12 || ^13.7 || ^14 || >=15.0.1}
     hasBin: true
 
-  nanotar@0.2.0:
-    resolution: {integrity: sha512-9ca1h0Xjvo9bEkE4UOxgAzLV0jHKe6LMaxo37ND2DAhhAtd0j8pR1Wxz+/goMrZO8AEZTWCmyaOsFI/W5AdpCQ==}
+  nanotar@0.2.1:
+    resolution: {integrity: sha512-MUrzzDUcIOPbv7ubhDV/L4CIfVTATd9XhDE2ixFeCrM5yp9AlzUpn91JrnN0HD6hksdxvz9IW9aKANz0Bta0GA==}
 
   napi-build-utils@2.0.0:
     resolution: {integrity: sha512-GEbrYkbfF7MoNaoh2iGG84Mnf/WZfB0GdGEsM8wz7Expx/LlWf5U8t9nvJKXSp3qr5IsEbK04cBGhol/KwOsWA==}
@@ -6987,7 +6986,7 @@ snapshots:
 
   nanoid@3.3.11: {}
 
-  nanotar@0.2.0: {}
+  nanotar@0.2.1: {}
 
   napi-build-utils@2.0.0: {}
 
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index 7d054cb67..4e3ff879e 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -102,7 +102,7 @@ catalog:
   magic-string: 0.30.19
   micromatch: 4.0.8
   mock-fs: 5.5.0
-  nanotar: 0.2.0
+  nanotar: 0.2.1
   nock: 14.0.10
   npm-package-arg: 13.0.0
   npm-run-all2: 8.0.4