Date: 2026-06-16 Target: tar-fs 3.1.2 / node-tar 7.5.x (path-traversal serial-incomplete-fixer) Verdict: WALK CLEAN (Linux vectors).
Two lessons
- Scrutiny > point-fixer history. tar-fs/node-tar is the textbook SERIAL point-fixer (path traversal
patched many times: CVE-2024-12905, 2025-48387, 2026-23745, 2026-31802...). By the refined predictor
(small/less-rigorous projects point-fix -> yield) it looked promising. But it is ALSO one of the most
heavily-audited npm surfaces (Google Project Zero, Snyk, countless researchers). Empirically, tar-fs 3.1.2
cleanly rejects symlink->abs, symlink->../ , hardlink->../ (all "not a valid symlink/hardlink") and contains
plain ../../. The convergence held. => Refine the predictor again: point-fixer-prior is necessary but
AUDIT-PRESSURE is the dominating term. Highest EV = point-fixer x LOW-scrutiny x FRESH (PyJWT/Django were
fresh Feb/Jun-2026 clusters; tar-fs is years-hammered). Prefer freshly-disclosed clusters in less-trodden
libs over famous serial-CVE projects whose latest is saturated.
- Platform-bounded bugs need the platform. CVE-2026-31802 (the freshest node-tar bug) is Windows-only
(drive-relative linkpath
C:../../x); node on Linux treats C:.. as a literal filename, so it is
UNTESTABLE on this Linux box - empirical confirmation requires a Windows runner. Banked blocker (24h-rule:
acknowledged-by-name with the exact resolution path = a Windows env), NOT deferred-vaguely. When a CVE's
trigger is platform-specific, check your box matches BEFORE investing the audit.
Method note: tar-fs escape test harness (reusable) = tar-stream pack() malicious entries
(symlink/link/file with ../ or abs linkname + a follow-up write-through entry) -> tar-fs.extract(dest) ->
check a canary file OUTSIDE dest is untouched. Cheap, deterministic, one node container.
yielded 4 findings; mature/scrutinized libs (Symfony, undici, axios, aiohttp, tar-fs) all walked. The vein's
EV is gated by cluster FRESHNESS + target SCRUTINY, not just maintainer fix-style.