Does RequestGuard fix vulnerabilities in tar-fs?

No. RequestGuard does not fix npm package vulnerabilities. Use package updates, patches, lockfile changes, and maintainer guidance for dependency remediation.

What does RequestGuard help with while a dependency is being remediated?

RequestGuard helps mitigate runtime abuse against exposed signup, checkout, login, form, and API flows with allow, challenge, review, and block decisions.

Does no OSV advisory mean the package is safe?

No. Missing OSV advisories only means no known advisory was returned by that source at the time checked. Continue auditing and monitoring dependencies.

npm vulnerability intelligence

tar-fs NPM Package
Vulnerability Check

filesystem bindings for tar-stream

High severity MIT v3.1.2

Vulnerability Analysis OSV Live

tar-fs

v3.1.2 · MIT · 52,111,242 dl/wk

Advisory Breakdown

Critical 0

High 4

Moderate 0

Low 0

Severity Rating

High severity

4 advisories

High severity

Weekly downloads

52,111,242

Total advisories

Latest version

3.1.2

License

MIT

Advisories Package Info Runtime

Known advisories

OSV records for the npm ecosystem

GHSA-8cj5-5rvv-wf4v CVE-2025-48387 high

tar-fs can extract outside the specified dir with a specific tarball

Affected: >=0 <1.16.5, >=2.0.0 <2.1.3, >=3.0.0 <3.0.9 Fixed in: 1.16.5, 2.1.3, 3.0.9 Updated Feb 4, 2026

View source

GHSA-pq67-2wwv-3xjx CVE-2024-12905 high

tar-fs Vulnerable to Link Following and Path Traversal via Extracting a Crafted tar File

Affected: >=0 <1.16.4, >=2.0.0 <2.1.2, >=3.0.0 <3.0.7 Fixed in: 1.16.4, 2.1.2, 3.0.7 Updated Feb 4, 2026

View source

GHSA-vj76-c3g6-qr5v CVE-2025-59343 high

tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball

Affected: >=3.0.0 <3.1.1, >=2.0.0 <2.1.4, >=0 <1.16.6 Fixed in: 3.1.1, 2.1.4, 1.16.6 Updated Feb 4, 2026

View source

GHSA-x2mc-8fgj-3wmr CVE-2018-20835 high

Improper Input Validation in tar-fs

Affected: >=0 <1.16.2 Fixed in: 1.16.2 Updated Nov 8, 2023

View source

Checked Jun 24, 2026, 8:29 PM from npm and OSV.dev

Package metadata

From the npm registry

Package name: tar-fs
Ecosystem: npm
Latest version: 3.1.2
License: MIT
Weekly downloads: 52,111,242
Repository: Open repository

Remediation boundary

What RequestGuard does — and doesn't — cover

RequestGuard does not fix npm package vulnerabilities. Dependency remediation happens through package updates, patches, lockfile changes, and maintainer guidance. RequestGuard can help mitigate runtime abuse around exposed web and API flows while remediation is handled separately.

Signup flows

API traffic

Protect runtime flows →

Allow, challenge, review, and block decisions for exposed endpoints.

Data from npm registry and OSV.dev · Checked 6/24/2026, 8:29:00 PM

Lookups

Domain Radar

Email Risk

Traffic Abuse

Lookups

Domain Radar

Email Risk

Traffic Abuse

tar-fs NPM Package
Vulnerability Check

Known advisories

Package metadata

Remediation boundary

Lookups

Domain Radar

Email Risk

Traffic Abuse

tar-fs NPM PackageVulnerability Check

Known advisories

Package metadata

Remediation boundary

tar-fs NPM Package
Vulnerability Check