github.com/deislabs/oras is vulnerable to zip slip. Lack of validation during the extraction of archives or tarballs allows an attacker to write files to arbitrary locations or overwrite arbitrary files via symbolic and hard links in a malicious archive.