tar-fs 2.1.3 also has security vulnerabilities https://nvd.nist.gov/vuln/detail/CVE-2025-59343

Fortunately, dependabot already has a fix ready to go #814