Skip to content

refactor: Bump tar and npm#218

Merged
mtrezza merged 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-79a8a94197
Jul 13, 2026
Merged

refactor: Bump tar and npm#218
mtrezza merged 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-79a8a94197

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown

Removes tar. It's no longer used after updating ancestor dependency npm. These dependencies need to be updated together.

Removes tar

Updates npm from 11.12.1 to 11.17.0

Release notes

Sourced from npm's releases.

v11.17.0

11.17.0 (2026-06-11)

Features

Bug Fixes

Documentation

Dependencies

Chores

v11.16.0

11.16.0 (2026-05-27)

Features

Bug Fixes

Documentation

... (truncated)

Changelog

Sourced from npm's changelog.

11.17.0 (2026-06-11)

Features

Bug Fixes

Documentation

Dependencies

Chores

11.16.0 (2026-05-27)

Features

Bug Fixes

Documentation

Dependencies

... (truncated)

Commits
  • 5866280 chore: release 11.17.0
  • 2922fa4 chore: dev dependency updates
  • bd09b87 deps: postcss-selector-parser@7.1.4
  • 95bfc4c deps: tinyglobby@0.2.17
  • 8c0d5fd deps: tar@7.5.16
  • 967d377 deps: semver@7.8.4
  • cdaac1b deps: pacote@21.5.1
  • 25c8a9e deps: node-gyp@12.4.0
  • 847cdf8 fix: match dotted and versioned args in approve-scripts/deny-scripts
  • 5f73e31 feat: differentiate GitHub Actions environments in user-agent (#9517)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

  • Chores
    • Updated the bundled npm tooling and related dependency versions.
    • Refreshed dependency lockfile metadata for improved consistency during package installation.

Removes [tar](https://github.com/isaacs/node-tar). It's no longer used after updating ancestor dependency [npm](https://github.com/npm/cli). These dependencies need to be updated together.


Removes `tar`

Updates `npm` from 11.12.1 to 11.17.0
- [Release notes](https://github.com/npm/cli/releases)
- [Changelog](https://github.com/npm/cli/blob/v11.17.0/CHANGELOG.md)
- [Commits](npm/cli@v11.12.1...v11.17.0)

---
updated-dependencies:
- dependency-name: tar
  dependency-version:
  dependency-type: indirect
- dependency-name: npm
  dependency-version: 11.17.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Bot label; pull requests that updates a dependency file javascript Pull requests that update javascript code labels Jun 23, 2026
@mtrezza

mtrezza commented Jul 13, 2026

Copy link
Copy Markdown
Member

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 39308552-c9c2-4dcd-84f9-1be500ede448

📥 Commits

Reviewing files that changed from the base of the PR and between 4912793 and 291b006.

📒 Files selected for processing (1)
  • package-lock.json

📝 Walkthrough

Walkthrough

Changes

npm lockfile refresh

Layer / File(s) Summary
Bundled npm version
package-lock.json
Updates bundled npm from 11.12.1 to 11.17.0 and refreshes its resolved and integrity metadata.
Bundled dependency pins
package-lock.json
Refreshes nested npm dependencies across npmcli, sigstore, networking, packaging, and utility packages.

Estimated code review effort: 1 (Trivial) | ~5 minutes

🚥 Pre-merge checks | ✅ 6 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Security Check ⚠️ Warning FAIL: the lockfile upgrades bundled node-tar to 7.5.16, but CVE-2026-59871 affects node-tar < 7.5.18 and can crash on crafted PAX archives. Update npm/tar to a release bundling node-tar >=7.5.18, then refresh the lockfile.
✅ Passed checks (6 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the PR’s main dependency update and follows the required prefix/capitalization pattern.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Engage In Review Feedback ✅ Passed PR shows “No reviews”; the only human comment is an @coderabbitai review trigger, not unresolved feedback. citeturn4view0turn3view4
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/npm_and_yarn/multi-79a8a94197

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mtrezza mtrezza merged commit 860ec8c into master Jul 13, 2026
6 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-79a8a94197 branch July 13, 2026 02:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Bot label; pull requests that updates a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant