Bump tar from 6.2.1 to 7.5.11

[dependabot]

Bumps tar from 6.2.1 to 7.5.11.

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• 7bc755d parse root off paths before sanitizing .. parts
• c8cb846 update deps
• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
umami	Error		Mar 10, 2026 11:52pm

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
umami-analytics-us	Ignored		Mar 10, 2026 11:52pm
umami-postgresql	Ignored		Mar 10, 2026 11:52pm

[greptile-apps]

Greptile Summary

This PR is a Dependabot-generated security upgrade of tar from the deprecated 6.2.1 to 7.5.11 — a major version bump that removes a widely-publicised set of path-traversal/symlink vulnerabilities. The package is a devDependency used exclusively by scripts/build-geo.js to download and parse a MaxMind GeoLite2 .tar.gz database at build time.

Key points:

• Security motivation is solid: tar@6.2.1 carries a deprecation warning ("widely publicized security vulnerabilities") embedded directly in the lock file, making this upgrade appropriate.
• API compatibility with existing usage: scripts/build-geo.js calls tar.t() (the list/parse command) and listens for entry events via .on('entry', ...). Both of these APIs are still fully supported in v7 — the v7 deprecation of onentry applies to the options object, not the event-based listener, so no code changes are required.
• Breaking changes in v7 do not affect this codebase: The reversed chmod default (now false) applies only to extract mode (tar.x()), which is not used here. The mkdirp removal from tar's own dependencies is also immaterial since build-geo.js already uses fs.mkdirSync directly.
• Node.js >=18 is now required by the entire new dependency subtree (chownr@3, minizlib@3, yallist@5, @isaacs/fs-minipass@4). The project's @types/node@^24.9.2 and other modern dependencies strongly imply Node 18+ is already the runtime target, but there is no explicit engines field in package.json to formally enforce this.
• New prepare script: The PR description notes that tar@7 introduces a prepare install script (used to compile TypeScript sources). This is expected for a TypeScript-rewritten package maintained by a well-known npm author (isaacs) and does not present a practical supply-chain concern here.

Confidence Score: 5/5

• This PR is safe to merge — it is a routine, well-scoped security dependency upgrade with no application code changes.
• The only changed files are package.json and pnpm-lock.yaml. The single consumer of tar in the codebase (scripts/build-geo.js) uses only the tar.t() stream API and .on('entry', ...) event listener, both of which remain fully supported in v7. The breaking changes introduced in the v7 major bump (chmod default, onentry option deprecation, mkdirp removal) do not touch any code path exercised by this project. The Node >=18 requirement introduced by the new sub-dependencies is consistent with the project's existing tooling.
• No files require special attention.

Important Files Changed

Filename	Overview
package.json	Updates tar specifier from ^6.1.2 to ^7.5.11 in devDependencies — a major version security bump removing a deprecated, vulnerable release.
pnpm-lock.yaml	Lock file updated to reflect tar@7.5.11 and its updated dependency tree: chownr 2→3, minizlib 2→3, yallist 4→5, fs-minipass replaced by @isaacs/fs-minipass@4.0.1, minipass consolidated to 7.1.3, and mkdirp dropped as a tar dependency. All new sub-dependencies require Node >=18.

Sequence Diagram

sequenceDiagram
    participant Script as build-geo.js
    participant HTTPS as https.get
    participant Zlib as zlib.createGunzip
    participant Tar as tar.t() (tar@7.5.11)
    participant FS as fs.createWriteStream

    Script->>HTTPS: GET *.tar.gz URL
    HTTPS-->>Zlib: pipe compressed response
    Zlib-->>Tar: pipe decompressed stream
    Tar-->>Script: emit 'entry' events (ReadEntry)
    loop For each entry
        Script->>Script: check entry.path.endsWith('.mmdb')
        alt .mmdb file found
            Script->>FS: entry.pipe(createWriteStream)
            FS-->>Script: 'finish' → resolve()
        end
    end

Loading

_{Last reviewed commit: 25d6913}