Update astral-tokio-tar requirement from 0.5 to 0.6

[dependabot]

Updates the requirements on astral-tokio-tar to permit the latest version.

Changelog

Sourced from astral-tokio-tar's changelog.

Changelog

0.5.6

• Fixed a parser desynchronization vulnerability when reading tar archives that contain mismatched size information in PAX/ustar headers.

  This vulnerability is being tracked as GHSA-j5gw-2vrg-8fgx and CVE-2025-62518.

0.5.5

• This is a corrective release for 0.5.4 to fix a debugging artifact that was accidentally left in the release.

0.5.4

• Fixed a path traversal vulnerability when using the unpack_in_raw API by @​charliermarsh

  This vulnerability is being tracked as GHSA-3wgq-wrwc-vqmv.

0.5.3

• Expose TarError publicly by @​konstin in astral-sh/tokio-tar#52

0.5.2

• Enable opt-in to deny creation of symlinks outside target directory by @​charliermarsh in astral-sh/tokio-tar#46

0.5.1

• Add test to reproduce issue in impl Stream for Entries causing filename truncation by @​charliermarsh in astral-sh/tokio-tar#41
• Avoid truncation during pending reads by @​charliermarsh in astral-sh/tokio-tar#40

0.5.0

• Setting preserve_permissions to false will avoid setting any permissions on extracted files. In alexcrichton/tar-rs, setting preserve_permissions to false will still set read, write, and execute permissions on extracted files, but will avoid setting extended permissions (e.g., setuid, setgid, and sticky bits).
• Avoid creating directories outside the unpack target (see: alexcrichton/tar-rs#259).
• Added unpack_in_raw which memoizes the set of validated paths (and assumes a pre-canonicalized) unpack target to avoid redundant filesystem operations.

Commits

• 1add8c8 astral-tokio-tar 0.6.0 (#71)
• e5e0139 Merge commit from fork
• e29cef1 Bump bytes from 1.10.0 to 1.11.1 (#69)
• eb74efe Bump tokio from 1.43.0 to 1.43.1 (#70)
• aafc292 docs: add security considerations to the README and entry::path documentation...
• a53325f Bump zizmorcore/zizmor-action from 0.4.1 to 0.5.0 in the github-actions group...
• c5eb81d Bump the github-actions group across 1 directory with 3 updates (#66)
• ae1fc1d chore: prep release 0.5.6 (#61)
• 22b3f88 Merge commit from fork
• bf266ff Bump to v0.5.5 (#59)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)