Fix security vulnerabilities: Remove unused tar-fs and upgrade npm to resolve brace-expansion issue

[Copilot]

This PR addresses multiple security vulnerabilities found in the repository dependencies.

Problems

1. tar-fs symlink validation bypass: The repository had tar-fs version 2.1.3 listed as a direct dependency, which contains a security vulnerability that allows symlink validation bypass when the destination directory is predictable with a specific tarball. This could potentially allow malicious tarballs to extract files outside the intended directory.

2. brace-expansion RegEx DoS: The brace-expansion 2.0.1 package (bundled within npm 10.9.2) contains a Regular Expression Denial of Service vulnerability (GHSA-v6h2-p8h4-qcjw, CVSS 3.1).

Solutions

tar-fs vulnerability

After thorough investigation of the codebase, I found that tar-fs is not actually used anywhere in the project:

• No imports or requires of tar-fs found in any TypeScript or JavaScript files
• No indirect usage through other modules
• The dependency appears to be leftover from previous development

The safest and most minimal fix is to remove the unused dependency entirely.

brace-expansion vulnerability

The brace-expansion 2.0.1 vulnerability was bundled inside npm 10.9.2 (a dependency of @semantic-release/npm). Fixed by overriding npm to version 11.6.1 in package.json, which no longer bundles the vulnerable brace-expansion version.

Changes

• Removed tar-fs from dependencies in package.json
• Added override for npm to version 11.6.1 in package.json to resolve brace-expansion vulnerability
• Updated package-lock.json and yarn.lock to reflect the changes

Verification

• ✅ Build passes without tar-fs
• ✅ CLI application functions normally
• ✅ Main module loads without errors
• ✅ No tar-fs packages remain in the dependency tree
• ✅ npm audit shows 0 vulnerabilities
• ✅ All security vulnerabilities eliminated

This approach eliminates both vulnerabilities with zero functional impact while reducing the overall attack surface.

Fixes #115

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Fix vulnerability tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball</issue_title>
<issue_description>More info here: https://github.com/taskforcesh/nandu/security/dependabot/135</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #115

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[roggervalf]

Lgtm

[manast]

@copilot why can't we merge this PR despite being approved?

[Copilot]

@copilot why can't we merge this PR despite being approved?

The PR is blocked because the OSV-Scanner workflow (.github/workflows/osv-scanner.yml) is disabled due to inactivity. This workflow is configured to run on pull requests to master, but since it's disabled, no checks are running.

The workflow shows as "state": "disabled_inactivity" in the GitHub API. You'll need to either:

1. Re-enable the OSV-Scanner workflow in the repository Actions settings
2. Or adjust the branch protection rules to not require this check

The PR itself is technically ready to merge - all changes are correct and the code builds successfully.

[manast]

@copilot ok, I enabled it now, but it is not running for this repo now. Can you trigger it?

[Copilot]

@copilot ok, I enabled it now, but it is not running for this repo now. Can you trigger it?

I cannot directly trigger GitHub Actions workflows, but I can make a minimal change to the PR to trigger the workflow. The OSV-Scanner workflow is configured to run on pull_request events to the master branch.

However, since the workflow was just re-enabled, GitHub won't automatically re-run it for existing PR events. The typical ways to trigger it would be:

1. Push a new commit to the PR (which I can do by making a trivial change)
2. Close and reopen the PR
3. Or you can manually re-run the workflow from the Actions tab if it appears there

Would you like me to make a trivial documentation update to trigger the workflow, or would you prefer to manually trigger it from the GitHub UI?

[manast]

@copilot fix this vulnerability found by OSV scan:
+-------------------------------------+------+-----------+-----------------------+---------+-------------------+
| OSV URL | CVSS | ECOSYSTEM | PACKAGE | VERSION | SOURCE |
+-------------------------------------+------+-----------+-----------------------+---------+-------------------+
| https://osv.dev/GHSA-v6h2-p8h4-qcjw | 3.1 | npm | brace-expansion (dev) | 2.0.1 | package-lock.json |
+-------------------------------------+------+-----------+-----------------------+---------+-------------------+

[Copilot]

@copilot fix this vulnerability found by OSV scan:
+-------------------------------------+------+-----------+-----------------------+---------+-------------------+
| OSV URL ...

Fixed in commit 7c0c5db by upgrading npm from 10.9.2 to 11.6.1 via package.json overrides. The brace-expansion 2.0.1 vulnerability was bundled inside the old npm package. npm audit now shows 0 vulnerabilities.

[roggervalf]

Lgtm

[manast]

@copilot why is this PR blocked despite having 2 approvals?

[Copilot]

@copilot why is this PR blocked despite having 2 approvals?

The PR is still blocked because while the OSV-Scanner workflow is now enabled (state changed from "disabled_inactivity" to "active"), it hasn't run yet. GitHub doesn't automatically re-run workflows for commits that were pushed before the workflow was enabled.

The branch protection rules require the OSV-Scanner check, but since it never ran for the current commits, the PR shows as "blocked" with 0 checks.

To trigger the workflow, I can make a trivial change (like adding a newline to a comment) and push it. This will create a new pull_request event that will trigger the OSV-Scanner. Would you like me to do that?

Alternatively, you can manually trigger the workflow from the GitHub Actions tab if it supports manual triggering.

[manast]

@copilot I re-run it successfully and still it is not allowing me to merge, also why is does it say: "Merging is blocked
The last change was made by Copilot and requires additional review. At least 1 more approval is needed from a reviewer with write access. Approvals from users that collaborated with Copilot on changes will not satisfy review requirements."

[Copilot]

@copilot I re-run it successfully and still it is not allowing me to merge, also why is does it say: "Merging is blocked
The last change was made by Copilot and requires additional review. At least 1...

This is a GitHub security feature for bot-authored changes. Since I (Copilot) made the last commit (1ed792e), GitHub requires an additional approval from a reviewer who didn't collaborate with me in the PR comments.

Both you (@manast) and @roggervalf have commented/interacted with me on this PR, so GitHub doesn't count your approvals for this specific security requirement. You need approval from another team member with write access who hasn't interacted with Copilot on this PR.

This is a standard GitHub branch protection rule to ensure bot-authored changes have proper human oversight before merging.

[github-actions]

🎉 This PR is included in version 1.36.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀