* Update LICENSE-MIT

* Update LICENSE-MIT

* refactor: implement recommendations from clippy

* fix: fmt

* refactor: shorten code

* Fix new elided lifetimes lint from Rust 1.89

https://blog.rust-lang.org/2025/08/07/Rust-1.89.0/#mismatched-lifetime-syntaxes-lint

Signed-off-by: Colin Walters <[email protected]>

* Fix clippy lints and tweak doc comemnt for EntryType

Clippy warned about a blank line in `EntryType` but the doc
comment was awkward; I tried improving it (though in the
end "entry type" is pretty self describing).

Signed-off-by: Colin Walters <[email protected]>

---------

Signed-off-by: Colin Walters <[email protected]>

* Replace `t!()` with `.unwrap()` [1/2]

ast-grep --pattern 't!($$$X)' --rewrite '$$$X.unwrap()' --update-all

* Replace `t!()` with `.unwrap()` [2/2]

ast-grep --pattern 't!($$$X)' --rewrite '$$$X.unwrap()' --update-all

* Replace `t!()` with `.unwrap()` inside macros [1/2]

ast-grep --pattern '$M!($$$B t!($$$X) $$$A)' --rewrite '$M!($$$B $$$X.unwrap() $$$A)' --update-all

* Replace `t!()` with `.unwrap()` inside macros [2/2]

ast-grep --pattern '$M!($$$B t!($$$X) $$$A)' --rewrite '$M!($$$B $$$X.unwrap() $$$A)' --update-all

* Remove `t!` macro

ast-grep --pattern 'macro_rules! t { $$$_ }' --rewrite '' --update-all

* Fix clippy

cargo clippy --all-targets --fix

Before this change, the fuzzing target uses the arbitrary crate without its
derive feature flag, and instead imports both the Arbitrary type from the
arbitrary crate and the Arbitrary derive macro from the derive_arbitrary
crate.

When building in an environment that enables the `derive` feature of the
arbitrary crate, this causes an error due to the ambiguity produced by having
two separate imports of a derive macro called Arbitrary.

This change drops the separate derive_arbitrary crate and instead enables
the `derive` feature of the arbitrary crate, which resolves the ambiguity.

Uses the official GitHub Action to verify semver compatibility on
every push and PR, comparing against the latest published crate version.

Assisted-by: OpenCode (Opus 4.5)

Signed-off-by: Colin Walters <[email protected]>

In prepare_header_path, the GNU long-name extension entry was written to
the stream before validating the truncated path via
set_truncated_path_for_gnu_header. If validation failed (e.g., the
truncated path contained '..'), the extension entry was already committed
to the stream with no rollback. The Builder remained usable, so
subsequent writes succeeded — but their data got associated with the
orphaned long-name path, silently corrupting the archive.

Fix by moving the truncation and validation above the append() call.
Since set_truncated_path_for_gnu_header only writes to the in-memory
header buffer (not the stream), reordering is safe.

Also audited prepare_header_link — it does not have this issue because
link names allow all path components (ParentDir, RootDir, etc.) and
there is no post-append validation step.

Wrap in-memory archive readers in tests with a RandomReader that
returns 1..=N bytes per read() call using a deterministic seeded
RNG. This ensures the tar parser correctly handles partial reads
rather than assuming read() fills the entire buffer.

Inspired by tar-core's test utilities.

Assisted-by: OpenCode (Claude claude-opus-4-6)

The [xtask pattern](https://github.com/matklad/cargo-xtask) is
a good way to capture ad-hoc workflows that one might otherwise write
in a poor language like bash.

Add the infra for that, and then add a `revdep-test` verb which
also gets wired up to CI.

This clones a few (ad-hoc selected) projects which use this crate.
Then we patch their Cargo.toml to use our local checkout and run their test suite.
Revdeps are pinned to release tags where possible (cargo 0.94.0,
cargo-vendor-filterer v0.5.18) for easy auditing; crates.io retains a
commit hash since it has no tags.

The cargo test filter `package::` is a substring match so we skip
unrelated cargo snapshot tests (cargo_add, cargo_info, etc.) that would
otherwise fail due to Rust version differences.

The goal is just more testing; prep for more work on this crate.

Assisted-by: OpenCode (Claude Opus)

Signed-off-by: Colin Walters <[email protected]>

Sorry I missed this one, some refactoring led to code duplication.

* ci: Consolidate workflows and add required-checks sentinel job

Merge the separate main.yml and revdep.yml workflow files into a single
ci.yml. This makes it possible to configure a single 'required-checks'
sentinel job as the required status check in repository settings,
instead of having to enumerate each individual job.

While here, modernize the workflow:
- Update actions/checkout from @master to @v4
- Use dtolnay/rust-toolchain instead of manual rustup where possible
- Add concurrency settings to cancel in-progress runs on the same PR
- Add explicit permissions (contents: read, write override for docs)
- Add timeout-minutes to all jobs
- Add fail-fast: false to the test matrix

Assisted-by: OpenCode (Claude claude-opus-4-6)

* ci: Bump actions/checkout to v6

Assisted-by: OpenCode (Claude claude-opus-4-6)

This synchronizes our behavior with most other tar parsers
(including astral-tokio-tar and Go archive/tar) ensuring
that we don't parse things differently.

The problem with parsing size in particular differently is
it's easy to craft a tar archive that appears completely differently
between two parsers. This is the case with e.g. crates.io where
astral-tokio-tar is used for validation server side, but cargo uses
the `tar` crate to upload.

With this, the two projects agree.

Signed-off-by: Colin Walters <[email protected]>
Co-authored-by: Colin Walters <[email protected]>

When unpacking a tarball containing a symlink followed by a directory
entry with the same path, unpack_dir previously used fs::metadata()
which follows symlinks. This allowed an attacker to modify permissions
on arbitrary directories outside the extraction path.

The fix uses fs::symlink_metadata() to detect symlinks and refuse to
treat them as valid existing directories.

Document more exhaustively+consistently security caveats.

Reported-by: Sergei Zimmerman <https://github.com/xokdvium>
Assisted-by: OpenCode (Claude claude-opus-4-5)

Signed-off-by: Colin Walters <[email protected]>
Co-authored-by: Colin Walters <[email protected]>

* Bump to 0.4.45

* Disable reverse deps checks