“These vulnerabilities may result in arbitrary code execution due to file overwrite and creation when tar is used to extract untrusted tar files or when the npm CLI is used to install untrusted npm packages under certain file system conditions,” GitHub said in an advisory.

A code npm dependency, tar is used to extract and install npm packages. Thousands of projects depend on it and tar has tens of millions of weekly downloads. A core dependency for the npm CLI, @npmcli/arborist allows for the management of node_modules trees.