Skip to content

[agent] chore(deps): replace decompress with @xhmikosr/decompress to fix GHSA-mp2f-45pm-3cg9#818

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
security/fix-decompress-ghsa-mp2f-45pm-3cg9-fbff293aa96a4293
Draft

[agent] chore(deps): replace decompress with @xhmikosr/decompress to fix GHSA-mp2f-45pm-3cg9#818
github-actions[bot] wants to merge 1 commit into
mainfrom
security/fix-decompress-ghsa-mp2f-45pm-3cg9-fbff293aa96a4293

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes Dependabot alert #293.

The decompress package (≤ 4.2.1) has a critical path traversal vulnerability (CVE-2026-53486 / GHSA-mp2f-45pm-3cg9, CVSS 9.1):

  • Symlink/hardlink entries can escape the extraction target directory
  • Path containment check used a string prefix that could be fooled by sibling directory names (e.g. /srv/out-old matches prefix /srv/out)
  • setuid/setgid/sticky bits were not stripped from extracted files

The upstream decompress package is unmaintained with no patched version (first_patched_version: null). The fix is to migrate to the maintained fork @xhmikosr/decompress, which patches all three issues in v10.2.1 and v11.1.3.

Changes

  • packages/mongodb-downloader/package.json: replace "decompress": "^4.2.1" with "@xhmikosr/decompress": "^11.1.3". Remove @types/decompress from devDependencies (the type declarations are now provided locally).
  • packages/mongodb-downloader/src/xhmikosr-decompress.d.ts (new): local ambient type declaration for @xhmikosr/decompress (the package ships no bundled types and there is no @types/xhmikosr__decompress on npm).
  • packages/mongodb-downloader/src/index.ts: update import from 'decompress''@xhmikosr/decompress'.
  • package-lock.json: updated transitively — decompress@4.2.1 and its plugins (decompress-tar, decompress-tarbz2, decompress-targz, decompress-unzip) are replaced by the @xhmikosr equivalents.

The call-site API (decompress(filename, outputDir, { strip, filter })) is unchanged; @xhmikosr/decompress is a drop-in replacement.

Generated by Dependabot remediation agent · ● 2M ·

…-mp2f-45pm-3cg9

The unmaintained 'decompress' package (<=4.2.1) has a critical path traversal
vulnerability (CVE-2026-53486 / GHSA-mp2f-45pm-3cg9). No upstream fix exists.

Migrate packages/mongodb-downloader to the maintained fork @xhmikosr/decompress
v11.1.3, which resolves symlink/hardlink escape, path containment prefix issues,
and setuid/setgid bit preservation.

Changes:
- Replace 'decompress' direct dep with '@xhmikosr/decompress@^11.1.3' in
  packages/mongodb-downloader/package.json
- Remove @types/decompress (no longer needed for 'decompress' module)
- Add local type declaration src/xhmikosr-decompress.d.ts
- Update import in src/index.ts to '@xhmikosr/decompress'
- Update package-lock.json

Fixes Dependabot alert #293

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants