← back to lessons

Cycle251 - Scrutiny dominates the point-fixer prior; and platform-bounded bugs need the platform

Date: 2026-06-16 Target: tar-fs 3.1.2 / node-tar 7.5.x (path-traversal serial-incomplete-fixer) Verdict: WALK CLEAN (Linux vectors).

Two lessons

  1. Scrutiny > point-fixer history. tar-fs/node-tar is the textbook SERIAL point-fixer (path traversal patched many times: CVE-2024-12905, 2025-48387, 2026-23745, 2026-31802...). By the refined predictor (small/less-rigorous projects point-fix -> yield) it looked promising. But it is ALSO one of the most heavily-audited npm surfaces (Google Project Zero, Snyk, countless researchers). Empirically, tar-fs 3.1.2 cleanly rejects symlink->abs, symlink->../ , hardlink->../ (all "not a valid symlink/hardlink") and contains plain ../../. The convergence held. => Refine the predictor again: point-fixer-prior is necessary but AUDIT-PRESSURE is the dominating term. Highest EV = point-fixer x LOW-scrutiny x FRESH (PyJWT/Django were fresh Feb/Jun-2026 clusters; tar-fs is years-hammered). Prefer freshly-disclosed clusters in less-trodden libs over famous serial-CVE projects whose latest is saturated.
  2. Platform-bounded bugs need the platform. CVE-2026-31802 (the freshest node-tar bug) is Windows-only (drive-relative linkpath C:../../x); node on Linux treats C:.. as a literal filename, so it is UNTESTABLE on this Linux box - empirical confirmation requires a Windows runner. Banked blocker (24h-rule: acknowledged-by-name with the exact resolution path = a Windows env), NOT deferred-vaguely. When a CVE's trigger is platform-specific, check your box matches BEFORE investing the audit.

Method note: tar-fs escape test harness (reusable) = tar-stream pack() malicious entries

(symlink/link/file with ../ or abs linkname + a follow-up write-through entry) -> tar-fs.extract(dest) -> check a canary file OUTSIDE dest is untouched. Cheap, deterministic, one node container.

Session close: this confirms the cost-governor call. Fresh low-scrutiny clusters (PyJWT, Django, form-data)

yielded 4 findings; mature/scrutinized libs (Symfony, undici, axios, aiohttp, tar-fs) all walked. The vein's EV is gated by cluster FRESHNESS + target SCRUTINY, not just maintainer fix-style.

Generated 2026-07-02 13:15:03 UTC | auto-sync /15min