Hey Astro team,
We found a potentially vulnerable function to the Zip Slip vulnerability. The idea of the vulnerability is that by triggering a path transversal on a zip file you are able to write files outside of your folder (https://cwe.mitre.org/data/definitions/29.html)
Here is the vulnerable function:
https://github.com/uber/astro/blob/master/astro/tvm/utils.go#L69

We are well aware, that downloads files passed to unzip only occur from a specific URL provided by astro, so the risk is really low, but we thought we should let you know about the potential risk.

Regards
Semmle Security Team
Discovered by Max Schaefer