diff --git a/spacy/cli/project/remote_storage.py b/spacy/cli/project/remote_storage.py
index b03f74a2d..12e252b3c 100644
--- a/spacy/cli/project/remote_storage.py
+++ b/spacy/cli/project/remote_storage.py
@@ -85,6 +85,9 @@ class RemoteStorage:
                 with tarfile.open(tar_loc, mode=mode_string) as tar_file:
                     # This requires that the path is added correctly, relative
                     # to root. This is how we set things up in push()
+
+                    # Disallow paths outside the current directory for the tar
+                    # file (CVE-2007-4559, directory traversal vulnerability)
                     def is_within_directory(directory, target):
                         abs_directory = os.path.abspath(directory)
                         abs_target = os.path.abspath(target)