Versions of tar
prior to 4.4.2 for 4.x and 2.2.2 for 2.x are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system’s file with the contents of the extracted file.
For tar 4.x, upgrade to version 4.4.2 or later.
For tar 2.x, upgrade to version 2.2.2 or later.
access.redhat.com/errata/RHSA-2019:1821
github.com/isaacs/node-tar
github.com/npm/node-tar/commit/7ecef07da6a9e72cc0c4d0c9c6a8e85b6b52395d
github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
github.com/npm/node-tar/commits/v2.2.2
github.com/npm/node-tar/compare/58a8d43...a5f7779
hackerone.com/reports/344595
nvd.nist.gov/vuln/detail/CVE-2018-20834