node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u3) bullseye-security; urgency=medium

  * Non-maintainer upload by the Debian LTS team.
  * d/patches/CVE-2024-28863.patch: Add patch to fix CVE-2024-28863.
    - Generating a large number of sub-folders can consume memory on the system
      and even crash the Node.js client within a few seconds using a path with
      too many sub-folders inside.
  * d/patches/CVE-2026-23745.patch: Add patch to fix CVE-2026-23745.
    - When preservePaths is false, the linkpath of Link (hardlink) and
      SymbolicLink entries fail to be sanitized, allowing malicious archives to
      bypass the extraction root restriction, leading to arbitrary file
      overwrites via hardlinks and symlink poisoning via absolute symlink
      targets.
  * d/patches/CVE-2026-23745-regression-fix.patch: Add patch to fix a
    regression introduced by the fix for CVE-2026-23745.
    - The fix for CVE-2026-23745 introduces a regression that prevents
      unpacking archives with valid linkpaths within the archive.
  * d/patches/CVE-2026-24842.patch: Add patch to fix CVE-2026-24842.
    - The security check for hardlink entries allows an attacker to craft a
      malicious TAR archive that bypasses path traversal protections and
      creates hardlinks to arbitrary files outside the extraction directory.
  * d/patches/CVE-2026-26960-1.patch,
    d/patches/CVE-2026-26960-2.patch: Add patch to fix CVE-2026-26960.
    - An attacker-controlled archive can create a hardlink inside the
      extraction directory that points to a file outside the extraction root,
      enabling arbitrary file read and write as the extracting user.
  * d/patches/CVE-2026-29786.patch: Add patch to fix CVE-2026-29786.
    - An attacker-controlled archive can create a hardlink that points outside
      the extraction directory by using a drive-relative link target.
  * d/patches/CVE-2026-31802.patch: Add patch to fix CVE-2026-31802.
    - An attacker-controlled archive can create a hardlink that points outside
      the extraction directory by using a drive-relative link target.
  * d/tests/control: Allow stderr to ignore npm warnings.

 -- Daniel Leidert <dleidert@debian.org>  Wed, 01 Apr 2026 05:44:08 +0200

node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u2) bullseye-security; urgency=medium

  * Team upload
  * Fix insufficient symlink protection (Closes: CVE-2021-37701)
  * Fix arbitrary file creation/overwrite and arbitrary code execution
    vulnerability (Closes: CVE-2021-37712)
  * Don't apply umask when uncompressing to avoid creating world writable
    directories

 -- Yadd <yadd@debian.org>  Thu, 11 Nov 2021 09:00:28 +0100

node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u1) bullseye; urgency=medium

  * Team upload
  * Remove paths from dirCache when no longer dirs
    (Closes: #992110, CVE-2021-32803)
  * Strip absolute paths more comprehensively
    (Closes: #992111, CVE-2021-32804)

 -- Yadd <yadd@debian.org>  Wed, 11 Aug 2021 21:50:15 +0200

node-tar (6.0.5+ds1+~cs11.3.9-1) unstable; urgency=medium

  [ Xavier Guimard ]
  * Team upload
  * Declare compliance with policy 4.5.1
  * Modernize debian/watch
  * Add ctype=nodejs to component(s)

  [ Pirate Praveen ]
  * Add @types/tar as component
  * New upstream version 6.0.5+ds1+~cs11.3.9

 -- Pirate Praveen <praveen@debian.org>  Thu, 07 Jan 2021 14:18:29 +0530

node-tar (6.0.5+ds1-2) unstable; urgency=medium

  * Team upload
  * Back to unstable after successful tests

 -- Xavier Guimard <yadd@debian.org>  Sat, 24 Oct 2020 19:54:30 +0200

node-tar (6.0.5+ds1-1) experimental; urgency=medium

  * Team upload

  [ Debian Janitor ]
  * Update standards version to 4.4.1, no changes needed.
  * debian/copyright: use spaces rather than tabs to start continuation
    lines.
  * Remove obsolete fields Name from debian/upstream/metadata.

  [ Xavier Guimard ]
  * Bump debhelper compatibility level to 13
  * Declare compliance with policy 4.5.0
  * Add "Rules-Requires-Root: no"
  * Use dh-sequence-nodejs
  * New upstream version 6.0.5+ds1
  * Refresh patch
  * Update test modules
  * Require node-mkdirp ≥ 1

 -- Xavier Guimard <yadd@debian.org>  Thu, 22 Oct 2020 08:35:38 +0200

node-tar (4.4.10+ds1-2) unstable; urgency=medium

  * Team upload
  * Switch install to pkg-js-tools
  * Increase test timeout
  * Don't install map.js, used only for tests
  * Switch to debhelper-compat
  * Back to unstable after successful tests using ci.debian.net

 -- Xavier Guimard <yadd@debian.org>  Thu, 22 Aug 2019 08:56:57 +0200

node-tar (4.4.10+ds1-1) experimental; urgency=medium

  * Team upload
  * Bump debhelper compatibility level to 12
  * Declare compliance with policy 4.4.0
  * Move installed files to /usr/share/nodejs
  * Replace pkg-components by pkg-js-tools (Closes: #933124)
  * Exclude embedded npm from minizlib import
  * New upstream version 4.4.10+ds1
  * Clean autopkgtest
  * Install map.js
  * Enable upstream test using pkg-js-tools. This embeds chmodr for tests only
  * Disable some failing test (even with npm install)
  * Update debian/copyright
  * Drop unneeded version constraints from (build) dependencies

 -- Xavier Guimard <yadd@debian.org>  Sat, 27 Jul 2019 13:34:30 +0200

node-tar (4.4.6+ds1-3) unstable; urgency=medium

  * Team upload
  * Tighten dependencies (Closes: #910165)
  * Update copyright file (remove chownr section)
  * Add autopkgtest

 -- Pirate Praveen <praveen@debian.org>  Mon, 15 Oct 2018 22:13:56 +0530

node-tar (4.4.6+ds1-2) unstable; urgency=medium

  * Team upload
  * Drop chownr component in favor of node-chownr package

 -- Pirate Praveen <praveen@debian.org>  Fri, 28 Sep 2018 01:27:08 +0530

node-tar (4.4.6+ds1-1) unstable; urgency=medium

  * Team upload
  * New upstream version 4.4.6+ds1
  * Allow pkg-components from backports
  * Bump debhelper compatibility level to 11
  * Bump Standards-Version to 4.2.1 (no changes needed)

 -- Pirate Praveen <praveen@debian.org>  Sun, 16 Sep 2018 13:29:46 +0530

node-tar (4.4.4+ds1-2) unstable; urgency=medium

  * Team upload
  * Reupload to unstable

 -- Pirate Praveen <praveen@debian.org>  Fri, 17 Aug 2018 11:48:35 +0530

node-tar (4.4.4+ds1-1) experimental; urgency=medium

  * Properly rebuild ds1, including all tarballs

 -- Jérémy Lal <kapouer@melix.org>  Thu, 19 Jul 2018 12:23:16 +0200

node-tar (4.4.4+ds-4) experimental; urgency=medium

  * Properly build package from vcs. See README.source.

 -- Jérémy Lal <kapouer@melix.org>  Thu, 19 Jul 2018 11:37:57 +0200

node-tar (4.4.4+ds-3) experimental; urgency=medium

  * Build-Depends on some modules needed for tests
  * New upstream version 4.4.4+ds
  * Update minipass version
  * api-backward-compatibility.patch: restore capitalized methods
    names. (Closes: #900491)
  * copyright: move comment from Source into Comment
  * Improve 4.4.1 changelog entry
  * Depends pkg-components >= 0.10

 -- Jérémy Lal <kapouer@melix.org>  Fri, 08 Jun 2018 09:31:29 +0200

node-tar (4.4.1+ds-2) experimental; urgency=medium

  * Call dh-components using dh_override_install/clean,
    because default hook is only after dh_install.

 -- Jérémy Lal <kapouer@melix.org>  Mon, 23 Apr 2018 13:43:58 +0200

node-tar (4.4.1+ds-1) experimental; urgency=medium

  * New upstream version 4.4.1+ds
  * Section javascript
  * Priority optional
  * Vcs salsa
  * Remove Testsuite field
  * Exclude benchmarks modules and repack
  * Standards-Version 4.1.4
  * Drop useless patch
  * Update Depends
  * Bundle these modules:
    + chownr (ITP #863985)
    + minipass
    + fs-minipass
    + minizlib
    using salsa:kapouer/pkg-components#f8714364 (see also
    #896608) which makes them easy to maintain using
    uscan-components and dh-components.
    Bundling criterions:
    - small source and same(ish) upstream author as main package
    - or not actively maintained and small number of potential
      reverse dependencies.
   * Run package tests
   * Add patch to avoid dependency on chmodr for running tests
     (node-chmodr is not available at the moment)

 -- Jérémy Lal <kapouer@melix.org>  Mon, 23 Apr 2018 01:14:10 +0200

node-tar (2.2.1-1) unstable; urgency=medium

  [ Bas Couwenberg ]
  * Remove myself from Uploaders.

  [ Jérémy Lal ]
  * Imported Upstream version 2.2.1
  * Run tests in autopkgtest
  * Move build-deps to test deps
  * Upstream license moved to ISC
  * Secure Vcs url
  * Standards-Version 3.9.8
  * Add patch fixing test
  * Tighten dependency on node-fstream 1.0.10
  * Override lintian error about missing source for test data

 -- Jérémy Lal <kapouer@melix.org>  Fri, 18 Nov 2016 09:52:18 +0100

node-tar (1.0.3-2) unstable; urgency=medium

  * Merge changes from previous releases.

 -- Bas Couwenberg <sebastic@debian.org>  Sun, 15 Mar 2015 22:59:07 +0100

node-tar (1.0.3-1) unstable; urgency=low

  * Initial release (Closes: #780440)

 -- Bas Couwenberg <sebastic@debian.org>  Sat, 14 Mar 2015 01:29:10 +0100

node-tar (0.1.18-1) unstable; urgency=low

  * Upstream update
  * control:
    + tighten dependency on node-inherits (>= 2)
    + canonicalize Vcs fields
    + Standards-Version 3.9.4

 -- Jérémy Lal <kapouer@melix.org>  Thu, 15 Aug 2013 16:06:15 +0200

node-tar (0.1.17-1) experimental; urgency=low

  * Upstream update.
  * Use github url in watch file.
  * Use dh_installexamples instead of dh_installdocs.

 -- Jérémy Lal <kapouer@melix.org>  Fri, 22 Mar 2013 10:18:26 +0100

node-tar (0.1.13-1) unstable; urgency=low

  * Initial release (Closes: #664719)

 -- Jérémy Lal <kapouer@melix.org>  Sat, 17 Mar 2012 23:37:48 +0100
