[Snyk] Security upgrade tar from 6.2.0 to 7.5.7

[maidul98]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• npm/package.json
• npm/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Directory Traversal SNYK-JS-TAR-15127355	596

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Directory Traversal

[greptile-apps]

Greptile Overview

Greptile Summary

This PR upgrades the tar package from 6.2.0 to 7.5.7 to fix a directory traversal vulnerability (SNYK-JS-TAR-15127355) with a priority score of 596/1000.

Key Changes

• Upgraded tar dependency from ^6.2.0 to ^7.5.7
• Updated transitive dependencies: minipass, minizlib, chownr, yallist to newer major versions
• Added new dependency: @isaacs/fs-minipass
• Removed dependencies: mkdirp, fs-minipass (now included in tar 7.x internally)

Security Impact

The upgrade fixes a medium-severity directory traversal vulnerability that could allow attackers to write files outside the intended extraction directory during tar archive extraction operations. This is critical for the npm package which extracts CLI binaries from tar.gz archives in the preinstall script (npm/src/index.cjs:150).

Breaking Changes

This is a major version upgrade (6.x to 7.x) with a breaking change:

• Node.js 18+ is now required (previously Node.js 10+)
• Your CI workflow already uses Node.js 20, so this is compatible
• End users installing via npm must have Node.js 18 or higher

Compatibility Assessment

The tar API usage in npm/src/index.cjs:150 (tar.x() with C and filter options) remains compatible with tar 7.x. No code changes are required beyond the dependency update.

Confidence Score: 4/5

• This PR is safe to merge with minimal risk - it addresses a security vulnerability with well-tested dependencies
• The score reflects a straightforward security upgrade with minor breaking changes (Node.js version requirement). The tar API usage is compatible, CI uses appropriate Node.js version, and the upgrade addresses a real security concern. Deducted 1 point due to the major version bump and potential impact on users with older Node.js versions.
• No files require special attention - this is a standard dependency upgrade

Important Files Changed

Filename	Overview
npm/package.json	Upgraded tar dependency from ^6.2.0 to ^7.5.7 to fix directory traversal vulnerability (SNYK-JS-TAR-15127355)
npm/package-lock.json	Updated dependency tree for tar 7.5.7 including new dependencies and updated transitive dependencies (minipass, minizlib, chownr, yallist), removed mkdirp and fs-minipass

[greptile-apps]

_{2 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

Breaking Change - Node.js Version Requirement

The upgrade from tar 6.x to 7.x requires Node.js 18+ (was Node.js 10+).

Verify that:

• CI/CD pipelines use Node.js 18 or higher (your release workflow uses Node.js 20, which is compatible ✓)
• Users installing this NPM package have Node.js 18+
• Documentation reflects the new minimum Node.js version requirement