Security: Update decompress-tar to fix CVE-2020-12265 (Zip Slip vulnerability)

## Summary
The current version of `browserstack-cypress-cli` (1.36.3) includes a transitive dependency on `decompress-tar@4.1.1`, which has a known critical security vulnerability.

## Vulnerability Details
- **CVE:** [CVE-2020-12265](https://nvd.nist.gov/vuln/detail/CVE-2020-12265)
- **SNYK ID:** [SNYK-JS-DECOMPRESSTAR-559095](https://security.snyk.io/vuln/SNYK-JS-DECOMPRESSTAR-559095)
- **Severity:** Critical (NVD CVSS Score: 9.8)
- **Issue:** Arbitrary File Write via Archive Extraction (Zip Slip)
- **Affected Component:** `decompress-tar@4.1.1`

## Dependency Path

```
browserstack-cypress-cli@1.36.3
└─┬ decompress@4.2.1
  ├── decompress-tar@4.1.1 ⚠️ VULNERABLE
  ├─┬ decompress-tarbz2@4.1.1
  │ └── decompress-tar@4.1.1 deduped
  └─┬ decompress-targz@4.1.1
    └── decompress-tar@4.1.1 deduped
```

## Impact
While this is a development dependency and the practical risk is mitigated in most controlled CI/CD environments (where archives are only extracted from trusted BrowserStack sources), security scanners and enterprise compliance tools flag this as a critical blocker, preventing adoption or requiring risk acceptance documentation.

Thank you for maintaining this tool!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: Update decompress-tar to fix CVE-2020-12265 (Zip Slip vulnerability) #1064

Summary

Vulnerability Details

Dependency Path

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: Update decompress-tar to fix CVE-2020-12265 (Zip Slip vulnerability) #1064

Description

Summary

Vulnerability Details

Dependency Path

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions