fix: migrate from tokio-tar to astral-tokio-tar

tokio-tar is unmaintained and has unpatched CVE-2025-62518. More details on CVE are in <https://edera.dev/stories/tarmageddon>. tokio-tar is only used for transferring backups and worst case is that by manually inspecting a carefully crafted backup user will not see the same files as get unpacked when importing a backup.
2026-05-06 06:46:35 +03:00 · 2025-10-21 20:38:17 +00:00
parent 51b9e86d71
commit 3c93f61b4d
3 changed files with 22 additions and 43 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -103,7 +103,7 @@ thiserror = { workspace = true }
 tokio-io-timeout = "1.2.1"
 tokio-rustls = { version = "0.26.2", default-features = false }
 tokio-stream = { version = "0.1.17", features = ["fs"] }
-tokio-tar = { version = "0.3" } # TODO: integrate tokio into async-tar
+astral-tokio-tar = { version = "0.5.6", default-features = false }
 tokio-util = { workspace = true }
 tokio = { workspace = true, features = ["fs", "rt-multi-thread", "macros"] }
 toml = "0.9"