Hi,

Version affected: github.com/vbatts/tar-split@v0.11.6
Go Versions Affected: up to (excluding) go1.18.7, go1.19.2
This CVE identifies a vulnerability in the tar-split library, which is used in one of our applications as a dependency. The issue appears to originate from an older version of Go specified in the go.mod file (Go 1.17), which has since been addressed in Go 1.18.7. For more details, see the CVE entry: https://nvd.nist.gov/vuln/detail/cve-2022-2879.

I have been monitoring the repository for activity or updates regarding this issue, unfortunately, there has been none. Do authors plan to fix this? I believe this should not involve a complex change, as it appears the root cause lies in the use of an outdated Go version. Upgrading to Go 1.18.7 or later, where this vulnerability is resolved, should mitigate the issue.

It would be greatly appreciated to address this findings, thanks from the mountain.