pnpm 10.34.1 → 10.34.3

package/dist/node_modules/.modules.yaml

@@ -19,28 +19,28 @@
     "nopt@8.1.0": [
       "node_modules/nopt"
     ],
-    "env-paths@2.2.1": [
-      "node_modules/env-paths"
-    ],
-    "proc-log@5.0.0": [
-      "node_modules/proc-log"
+    "tar@7.5.16": [
+      "node_modules/tar"
     ],
-    "tinyglobby@0.2.16": [
+    "tinyglobby@0.2.17": [
       "node_modules/tinyglobby"
     ],
     "which@5.0.0": [
       "node_modules/which"
     ],
+    "env-paths@2.2.1": [
+      "node_modules/env-paths"
+    ],
+    "proc-log@5.0.0": [
+      "node_modules/proc-log"
+    ],
     "exponential-backoff@3.1.3": [
       "node_modules/exponential-backoff"
     ],
     "graceful-fs@4.2.11": [
       "node_modules/graceful-fs"
     ],
-    "tar@7.5.15": [
-      "node_modules/tar"
-    ],
-    "semver@7.8.1": [
+    "semver@7.8.4": [
       "node_modules/semver"
     ],
     "make-fetch-happen@14.0.3": [
@@ -49,30 +49,33 @@
     "abbrev@3.0.1": [
       "node_modules/abbrev"
     ],
-    "picomatch@4.0.4": [
-      "node_modules/picomatch"
-    ],
-    "fdir@6.5.0(picomatch@4.0.4)": [
-      "node_modules/fdir"
-    ],
-    "isexe@3.1.1": [
-      "node_modules/isexe"
+    "chownr@3.0.0": [
+      "node_modules/chownr"
     ],
     "yallist@5.0.0": [
       "node_modules/yallist"
     ],
-    "chownr@3.0.0": [
-      "node_modules/chownr"
+    "@isaacs/fs-minipass@4.0.1": [
+      "node_modules/@isaacs/fs-minipass"
     ],
     "minizlib@3.1.0": [
       "node_modules/minizlib"
     ],
-    "@isaacs/fs-minipass@4.0.1": [
-      "node_modules/@isaacs/fs-minipass"
-    ],
     "minipass@7.1.3": [
       "node_modules/minipass"
     ],
+    "fdir@6.5.0(picomatch@4.0.4)": [
+      "node_modules/fdir"
+    ],
+    "picomatch@4.0.4": [
+      "node_modules/picomatch"
+    ],
+    "isexe@3.1.1": [
+      "node_modules/isexe"
+    ],
+    "promise-retry@2.0.1": [
+      "node_modules/promise-retry"
+    ],
     "minipass@3.3.6": [
       "node_modules/minipass-flush/node_modules/minipass",
       "node_modules/minipass-pipeline/node_modules/minipass",
@@ -86,108 +89,114 @@
     "negotiator@1.0.0": [
       "node_modules/negotiator"
     ],
-    "promise-retry@2.0.1": [
-      "node_modules/promise-retry"
+    "minipass-fetch@4.0.1": [
+      "node_modules/minipass-fetch"
     ],
     "@npmcli/agent@3.0.0": [
       "node_modules/@npmcli/agent"
     ],
-    "ssri@12.0.0": [
-      "node_modules/ssri"
-    ],
     "http-cache-semantics@4.2.0": [
       "node_modules/http-cache-semantics"
     ],
-    "minipass-fetch@4.0.1": [
-      "node_modules/minipass-fetch"
-    ],
     "cacache@19.0.1": [
       "node_modules/cacache"
     ],
-    "err-code@2.0.3": [
-      "node_modules/err-code"
+    "ssri@12.0.0": [
+      "node_modules/ssri"
     ],
     "retry@0.12.0": [
       "node_modules/retry"
     ],
+    "err-code@2.0.3": [
+      "node_modules/err-code"
+    ],
+    "encoding@0.1.13": [
+      "node_modules/encoding"
+    ],
     "http-proxy-agent@7.0.2": [
       "node_modules/http-proxy-agent"
     ],
-    "agent-base@7.1.4": [
-      "node_modules/agent-base"
-    ],
     "https-proxy-agent@7.0.6": [
       "node_modules/https-proxy-agent"
     ],
     "socks-proxy-agent@8.0.5": [
       "node_modules/socks-proxy-agent"
     ],
+    "agent-base@7.1.4": [
+      "node_modules/agent-base"
+    ],
     "lru-cache@10.4.3": [
       "node_modules/lru-cache"
     ],
-    "encoding@0.1.13": [
-      "node_modules/encoding"
-    ],
-    "unique-filename@4.0.0": [
-      "node_modules/unique-filename"
-    ],
     "fs-minipass@3.0.3": [
       "node_modules/fs-minipass"
     ],
     "minipass-collect@2.0.1": [
       "node_modules/minipass-collect"
     ],
-    "p-map@7.0.4": [
-      "node_modules/p-map"
+    "unique-filename@4.0.0": [
+      "node_modules/unique-filename"
     ],
     "@npmcli/fs@4.0.0": [
       "node_modules/@npmcli/fs"
     ],
+    "p-map@7.0.4": [
+      "node_modules/p-map"
+    ],
     "glob@10.5.0": [
       "node_modules/glob"
     ],
+    "iconv-lite@0.6.3": [
+      "node_modules/iconv-lite"
+    ],
     "debug@4.4.3": [
       "node_modules/debug"
     ],
     "socks@2.8.9": [
       "node_modules/socks"
     ],
-    "iconv-lite@0.6.3": [
-      "node_modules/iconv-lite"
-    ],
     "unique-slug@5.0.0": [
       "node_modules/unique-slug"
     ],
+    "foreground-child@3.3.1": [
+      "node_modules/foreground-child"
+    ],
     "package-json-from-dist@1.0.1": [
       "node_modules/package-json-from-dist"
     ],
-    "path-scurry@1.11.1": [
-      "node_modules/path-scurry"
-    ],
     "jackspeak@3.4.3": [
       "node_modules/jackspeak"
     ],
+    "path-scurry@1.11.1": [
+      "node_modules/path-scurry"
+    ],
     "minimatch@9.0.9": [
       "node_modules/minimatch"
     ],
-    "foreground-child@3.3.1": [
-      "node_modules/foreground-child"
+    "safer-buffer@2.1.2": [
+      "node_modules/safer-buffer"
     ],
     "ms@2.1.3": [
       "node_modules/ms"
     ],
-    "smart-buffer@4.2.0": [
-      "node_modules/smart-buffer"
-    ],
     "ip-address@10.2.0": [
       "node_modules/ip-address"
     ],
-    "safer-buffer@2.1.2": [
-      "node_modules/safer-buffer"
+    "smart-buffer@4.2.0": [
+      "node_modules/smart-buffer"
     ],
     "imurmurhash@0.1.4": [
       "node_modules/imurmurhash"
     ],
+    "signal-exit@4.1.0": [
+      "node_modules/signal-exit"
+    ],
+    "which@2.0.2": [
+      "node_modules/cross-spawn/node_modules/which"
+    ],
+    "isexe@2.0.0": [
+      "node_modules/cross-spawn/node_modules/isexe"
+    ],
     "@isaacs/cliui@8.0.2": [
       "node_modules/@isaacs/cliui"
     ],
@@ -197,14 +206,11 @@
     "brace-expansion@2.1.1": [
       "node_modules/brace-expansion"
     ],
-    "signal-exit@4.1.0": [
-      "node_modules/signal-exit"
-    ],
-    "which@2.0.2": [
-      "node_modules/cross-spawn/node_modules/which"
+    "shebang-command@2.0.0": [
+      "node_modules/shebang-command"
     ],
-    "isexe@2.0.0": [
-      "node_modules/cross-spawn/node_modules/isexe"
+    "path-key@3.1.1": [
+      "node_modules/path-key"
     ],
     "strip-ansi@7.2.0": [
       "node_modules/strip-ansi"
@@ -239,11 +245,8 @@
     "balanced-match@1.0.2": [
       "node_modules/balanced-match"
     ],
-    "shebang-command@2.0.0": [
-      "node_modules/shebang-command"
-    ],
-    "path-key@3.1.1": [
-      "node_modules/path-key"
+    "shebang-regex@3.0.0": [
+      "node_modules/shebang-regex"
     ],
     "ansi-regex@6.2.2": [
       "node_modules/ansi-regex"
@@ -257,14 +260,11 @@
     "color-convert@2.0.1": [
       "node_modules/color-convert"
     ],
-    "eastasianwidth@0.2.0": [
-      "node_modules/eastasianwidth"
-    ],
     "emoji-regex@9.2.2": [
       "node_modules/emoji-regex"
     ],
-    "shebang-regex@3.0.0": [
-      "node_modules/shebang-regex"
+    "eastasianwidth@0.2.0": [
+      "node_modules/eastasianwidth"
     ],
     "color-name@1.1.4": [
       "node_modules/color-name"
@@ -289,7 +289,7 @@
   "packageManager": "pnpm@10.33.1",
   "pendingBuilds": [],
   "publicHoistPattern": [],
-  "prunedAt": "Wed, 27 May 2026 23:03:26 GMT",
+  "prunedAt": "Thu, 11 Jun 2026 17:03:03 GMT",
   "registries": {
     "default": "https://registry.npmjs.org/",
     "@jsr": "https://npm.jsr.io/"

package/dist/node_modules/.pnpm/lock.yaml

@@ -42,6 +42,8 @@ overrides:
   semver@<7.5.2: ^7.7.4
   send@<0.19.0: ^0.19.0
   serve-static@<1.16.0: ^1.16.0
+  shell-quote@<1.8.4: '>=1.8.4'
+  shell-quote: 1.8.4
   socks@2: ^2.8.1
   tar@<=7.5.10: '>=7.5.11'
   tmp@<0.2.6: '>=0.2.6'
@@ -319,8 +321,8 @@ packages:
   safer-buffer@2.1.2:
     resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==}
 
-  semver@7.8.1:
-    resolution: {integrity: sha512-rkVq3IXh+4FDGch+KwzX3aV9W3kO54GyEgpvBzSyctDA6Xtd7RJQV1xmXbeQp5v7+VzLOfVqiutSE6GICgPFvg==}
+  semver@7.8.4:
+    resolution: {integrity: sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==}
     engines: {node: '>=10'}
     hasBin: true
 
@@ -368,12 +370,12 @@ packages:
     resolution: {integrity: sha512-yDPMNjp4WyfYBkHnjIRLfca1i6KMyGCtsVgoKe/z1+6vukgaENdgGBZt+ZmKPc4gavvEZ5OgHfHdrazhgNyG7w==}
     engines: {node: '>=12'}
 
-  tar@7.5.15:
-    resolution: {integrity: sha512-dzGK0boVlC4W5QFuQN1EFSl3bIDYsk7Tj40U6eIBnK2k/8ml7TZ5agbI5j5+qnoVcAA+rNtBml8SEiLxZpNqRQ==}
+  tar@7.5.16:
+    resolution: {integrity: sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==}
     engines: {node: '>=18'}
 
-  tinyglobby@0.2.16:
-    resolution: {integrity: sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==}
+  tinyglobby@0.2.17:
+    resolution: {integrity: sha512-wXR/dYpcqKmfWpEdZjiKJOwCNFndD0DMnrW/cYjVGttEkBfVgcLFHoNrlj47mjOVic9yyNu65alsgF4NQyTa2g==}
     engines: {node: '>=12.0.0'}
 
   unique-filename@4.0.0:
@@ -442,7 +444,7 @@ snapshots:
 
   '@npmcli/fs@4.0.0':
     dependencies:
-      semver: 7.8.1
+      semver: 7.8.4
     optional: true
 
   '@pkgjs/parseargs@0.11.0':
@@ -488,7 +490,7 @@ snapshots:
       minipass-pipeline: 1.2.4
       p-map: 7.0.4
       ssri: 12.0.0
-      tar: 7.5.15
+      tar: 7.5.16
       unique-filename: 4.0.0
     optional: true
 
@@ -694,9 +696,9 @@ snapshots:
       make-fetch-happen: 14.0.3
       nopt: 8.1.0
       proc-log: 5.0.0
-      semver: 7.8.1
-      tar: 7.5.15
-      tinyglobby: 0.2.16
+      semver: 7.8.4
+      tar: 7.5.16
+      tinyglobby: 0.2.17
       which: 5.0.0
     transitivePeerDependencies:
       - supports-color
@@ -740,7 +742,7 @@ snapshots:
   safer-buffer@2.1.2:
     optional: true
 
-  semver@7.8.1:
+  semver@7.8.4:
     optional: true
 
   shebang-command@2.0.0:
@@ -801,7 +803,7 @@ snapshots:
       ansi-regex: 6.2.2
     optional: true
 
-  tar@7.5.15:
+  tar@7.5.16:
     dependencies:
       '@isaacs/fs-minipass': 4.0.1
       chownr: 3.0.0
@@ -810,7 +812,7 @@ snapshots:
       yallist: 5.0.0
     optional: true
 
-  tinyglobby@0.2.16:
+  tinyglobby@0.2.17:
     dependencies:
       fdir: 6.5.0(picomatch@4.0.4)
       picomatch: 4.0.4

package/dist/node_modules/.pnpm-workspace-state-v1.json

@@ -1,5 +1,5 @@
 {
-  "lastValidatedTimestamp": 1779923006425,
+  "lastValidatedTimestamp": 1781197383368,
   "projects": {},
   "pnpmfiles": [],
   "settings": {
@@ -56,6 +56,8 @@
       "semver@<7.5.2": "^7.7.4",
       "send@<0.19.0": "^0.19.0",
       "serve-static@<1.16.0": "^1.16.0",
+      "shell-quote@<1.8.4": ">=1.8.4",
+      "shell-quote": "1.8.4",
       "socks@2": "^2.8.1",
       "tar@<=7.5.10": ">=7.5.11",
       "tmp@<0.2.6": ">=0.2.6",

package/dist/node_modules/semver/classes/range.js

@@ -277,6 +277,11 @@ const parseComparator = (comp, options) => {
 
 const isX = id => !id || id.toLowerCase() === 'x' || id === '*'
 
+const invalidXRangeOrder = (M, m, p) => (
+  (isX(M) && !isX(m)) ||
+  (isX(m) && p && !isX(p))
+)
+
 // ~, ~> --> * (any, kinda silly)
 // ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0 <3.0.0-0
 // ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0 <2.1.0-0
@@ -373,10 +378,10 @@ const replaceCaret = (comp, options) => {
       if (M === '0') {
         if (m === '0') {
           ret = `>=${M}.${m}.${p
-          }${z} <${M}.${m}.${+p + 1}-0`
+          } <${M}.${m}.${+p + 1}-0`
         } else {
           ret = `>=${M}.${m}.${p
-          }${z} <${M}.${+m + 1}.0-0`
+          } <${M}.${+m + 1}.0-0`
         }
       } else {
         ret = `>=${M}.${m}.${p
@@ -402,6 +407,10 @@ const replaceXRange = (comp, options) => {
   const r = options.loose ? re[t.XRANGELOOSE] : re[t.XRANGE]
   return comp.replace(r, (ret, gtlt, M, m, p, pr) => {
     debug('xRange', comp, ret, gtlt, M, m, p, pr)
+    if (invalidXRangeOrder(M, m, p)) {
+      return comp
+    }
+
     const xM = isX(M)
     const xm = xM || isX(m)
     const xp = xm || isX(p)

package/dist/node_modules/semver/classes/semver.js

@@ -6,6 +6,22 @@ const { safeRe: re, t } = require('../internal/re')
 
 const parseOptions = require('../internal/parse-options')
 const { compareIdentifiers } = require('../internal/identifiers')
+
+const isPrereleaseIdentifier = (prerelease, identifier) => {
+  const identifiers = identifier.split('.')
+  if (identifiers.length > prerelease.length) {
+    return false
+  }
+
+  for (let i = 0; i < identifiers.length; i++) {
+    if (compareIdentifiers(prerelease[i], identifiers[i]) !== 0) {
+      return false
+    }
+  }
+
+  return true
+}
+
 class SemVer {
   constructor (version, options) {
     options = parseOptions(options)
@@ -309,8 +325,9 @@ class SemVer {
           if (identifierBase === false) {
             prerelease = [identifier]
           }
-          if (compareIdentifiers(this.prerelease[0], identifier) === 0) {
-            if (isNaN(this.prerelease[1])) {
+          if (isPrereleaseIdentifier(this.prerelease, identifier)) {
+            const prereleaseBase = this.prerelease[identifier.split('.').length]
+            if (isNaN(prereleaseBase)) {
               this.prerelease = prerelease
             }
           } else {

package/dist/node_modules/semver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "semver",
-  "version": "7.8.1",
+  "version": "7.8.4",
   "description": "The semantic version parser used by npm.",
   "main": "index.js",
   "scripts": {
@@ -14,7 +14,7 @@
     "eslint": "eslint \"**/*.{js,cjs,ts,mjs,jsx,tsx}\""
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^6.0.0",
+    "@npmcli/eslint-config": "^7.0.0",
     "@npmcli/template-oss": "5.0.0",
     "benchmark": "^2.1.4",
     "tap": "^16.0.0"

package/dist/node_modules/tar/dist/commonjs/header.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"header.d.ts","sourceRoot":"","sources":["../../src/header.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAG9D,MAAM,MAAM,UAAU,GAAG;IACvB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,aAAa,GAAG,aAAa,CAAA;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IAIZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAA;AAED,qBAAa,MAAO,YAAW,UAAU;;IACvC,UAAU,EAAE,OAAO,CAAQ;IAC3B,OAAO,EAAE,OAAO,CAAQ;IACxB,SAAS,EAAE,OAAO,CAAQ;IAE1B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,MAAM,CAAA;IAEd,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAI;IAClB,MAAM,EAAE,MAAM,CAAI;IAClB,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IAEZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;gBAGd,IAAI,CAAC,EAAE,MAAM,GAAG,UAAU,EAC1B,GAAG,GAAE,MAAU,EACf,EAAE,CAAC,EAAE,UAAU,EACf,GAAG,CAAC,EAAE,UAAU;IASlB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU;IAwGlE,MAAM,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,GAAG,GAAE,MAAU;IAiEpC,IAAI,IAAI,IAAI,aAAa,CAKxB;IAED,IAAI,OAAO,IAAI,aAAa,GAAG,aAAa,CAE3C;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,aAAa,GAAG,aAAa,GAAG,aAAa,EAS3D;CACF"}
+{"version":3,"file":"header.d.ts","sourceRoot":"","sources":["../../src/header.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,YAAY,CAAA;AAG9D,MAAM,MAAM,UAAU,GAAG;IACvB,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,aAAa,GAAG,aAAa,CAAA;IACpC,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IAIZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,CAAA;AAED,qBAAa,MAAO,YAAW,UAAU;;IACvC,UAAU,EAAE,OAAO,CAAQ;IAC3B,OAAO,EAAE,OAAO,CAAQ;IACxB,SAAS,EAAE,OAAO,CAAQ;IAE1B,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,KAAK,CAAC,EAAE,MAAM,CAAA;IAEd,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,MAAM,EAAE,MAAM,CAAI;IAClB,MAAM,EAAE,MAAM,CAAI;IAClB,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IACZ,KAAK,CAAC,EAAE,IAAI,CAAA;IAEZ,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAA;gBAGd,IAAI,CAAC,EAAE,MAAM,GAAG,UAAU,EAC1B,GAAG,GAAE,MAAU,EACf,EAAE,CAAC,EAAE,UAAU,EACf,GAAG,CAAC,EAAE,UAAU;IASlB,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,EAAE,EAAE,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,EAAE,UAAU;IA4IlE,MAAM,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,GAAG,GAAE,MAAU;IAiEpC,IAAI,IAAI,IAAI,aAAa,CAKxB;IAED,IAAI,OAAO,IAAI,aAAa,GAAG,aAAa,CAE3C;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,aAAa,GAAG,aAAa,GAAG,aAAa,EAS3D;CACF"}

package/dist/node_modules/tar/dist/commonjs/header.js

@@ -78,22 +78,45 @@ class Header {
         if (!buf || !(buf.length >= off + 512)) {
             throw new Error('need 512 bytes for header');
         }
-        this.path = ex?.path ?? decString(buf, off, 100);
-        this.mode = ex?.mode ?? gex?.mode ?? decNumber(buf, off + 100, 8);
-        this.uid = ex?.uid ?? gex?.uid ?? decNumber(buf, off + 108, 8);
-        this.gid = ex?.gid ?? gex?.gid ?? decNumber(buf, off + 116, 8);
-        this.size = ex?.size ?? gex?.size ?? decNumber(buf, off + 124, 12);
-        this.mtime = ex?.mtime ?? gex?.mtime ?? decDate(buf, off + 136, 12);
+        // Decode the typeflag (independent of any pending PAX/GNU extended header)
+        // up front so we can tell whether THIS block is itself an intermediary
+        // extension header (PAX `x`/`g`, GNU long-name `L`, GNU long-link `K`).
+        // Per POSIX pax, a PAX extended header describes the *next file entry*, not
+        // the extension headers that may sit between it and that file. Applying the
+        // pending PAX overrides (notably `size`) to an intervening `L`/`K`/`x`/`g`
+        // header desynchronizes the stream relative to other tar implementations
+        // and enables tar interpretation-conflict / file-smuggling attacks.
+        const t = decString(buf, off + 156, 1);
+        const isNormalFS = types.normalFsTypes.has(t);
+        const exForFields = isNormalFS ? ex : undefined;
+        const gexForFields = isNormalFS ? gex : undefined;
+        this.path = exForFields?.path ?? decString(buf, off, 100);
+        this.mode =
+            exForFields?.mode ??
+                gexForFields?.mode ??
+                decNumber(buf, off + 100, 8);
+        this.uid =
+            exForFields?.uid ?? gexForFields?.uid ?? decNumber(buf, off + 108, 8);
+        this.gid =
+            exForFields?.gid ?? gexForFields?.gid ?? decNumber(buf, off + 116, 8);
+        this.size =
+            exForFields?.size ??
+                gexForFields?.size ??
+                decNumber(buf, off + 124, 12);
+        this.mtime =
+            exForFields?.mtime ??
+                gexForFields?.mtime ??
+                decDate(buf, off + 136, 12);
         this.cksum = decNumber(buf, off + 148, 12);
         // if we have extended or global extended headers, apply them now
         // See https://github.com/npm/node-tar/pull/187
-        // Apply global before local, so it overrides
-        if (gex)
-            this.#slurp(gex, true);
-        if (ex)
-            this.#slurp(ex);
+        // Apply global before local, so it overrides. Never slurp the pending
+        // extended-header fields onto an intermediary extension header.
+        if (gexForFields)
+            this.#slurp(gexForFields, true);
+        if (exForFields)
+            this.#slurp(exForFields);
         // old tar versions marked dirs as a file with a trailing /
-        const t = decString(buf, off + 156, 1);
         if (types.isCode(t)) {
             this.#type = t || '0';
         }
@@ -111,12 +134,24 @@ class Header {
         this.linkpath = decString(buf, off + 157, 100);
         if (buf.subarray(off + 257, off + 265).toString() === 'ustar\u000000') {
             /* c8 ignore start */
-            this.uname = ex?.uname ?? gex?.uname ?? decString(buf, off + 265, 32);
-            this.gname = ex?.gname ?? gex?.gname ?? decString(buf, off + 297, 32);
+            this.uname =
+                exForFields?.uname ??
+                    gexForFields?.uname ??
+                    decString(buf, off + 265, 32);
+            this.gname =
+                exForFields?.gname ??
+                    gexForFields?.gname ??
+                    decString(buf, off + 297, 32);
             this.devmaj =
-                ex?.devmaj ?? gex?.devmaj ?? decNumber(buf, off + 329, 8) ?? 0;
+                exForFields?.devmaj ??
+                    gexForFields?.devmaj ??
+                    decNumber(buf, off + 329, 8) ??
+                    0;
             this.devmin =
-                ex?.devmin ?? gex?.devmin ?? decNumber(buf, off + 337, 8) ?? 0;
+                exForFields?.devmin ??
+                    gexForFields?.devmin ??
+                    decNumber(buf, off + 337, 8) ??
+                    0;
             /* c8 ignore stop */
             if (buf[off + 475] !== 0) {
                 // definitely a prefix, definitely >130 chars.