Skip to content

build(deps): bump tar, @mapbox/node-pre-gyp and npm#3532

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-5deef68cca
Open

build(deps): bump tar, @mapbox/node-pre-gyp and npm#3532
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-5deef68cca

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps tar to 7.5.19 and updates ancestor dependencies tar, @mapbox/node-pre-gyp and npm. These dependencies need to be updated together.

Updates tar from 6.2.1 to 7.5.19

Changelog

Sourced from tar's changelog.

Changelog

7.5

  • Added zstd compression support.
  • Consistent TOCTOU behavior in sync t.list
  • Only read from ustar block if not specified in Pax
  • Fix sync tar.list when file size reduces while reading
  • Sanitize absolute linkpaths properly
  • Prevent writing hardlink entries to the archive ahead of their file target

7.4

  • Deprecate onentry in favor of onReadEntry for clarity.

7.3

  • Add onWriteEntry option

7.2

  • DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

  • Update minipass to v7.1.0
  • Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

  • Drop support for node <18
  • Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
  • Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
  • Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
  • Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates @mapbox/node-pre-gyp from 1.0.9 to 2.0.3

Release notes

Sourced from @​mapbox/node-pre-gyp's releases.

v2.0.3

v2.0.2

  • Support private ACL for S3 buckets #923

v2.0.1

v2.0.0

  • Supported Node versions are now stable versions of Node 18+. We will attempt to track the Node.js release schedule and will regularly retire support for versions that have reached EOL.
  • Fixed use of s3ForcePathStyle for installation #650
  • Upgraded to https-proxy-agent 7.0.5, nopt 8.0.0, semver 7.5.3, and tar 7.4.0
  • Replaced npmlog with consola
  • Removed rimraf and make-dir as dependencies

v2.0.0-rc.0

  • Supported Node versions are now stable versions of Node 18+. We will attempt to track the Node.js release schedule and will regularly retire support for versions that have reached EOL.
  • Fixed use of s3ForcePathStyle for installation #650
  • Upgraded to https-proxy-agent 7.0.5, nopt 8.0.0, semver 7.5.3, and tar 7.4.0
  • Replaced npmlog with consola
  • Removed rimraf and make-dir as dependencies
Changelog

Sourced from @​mapbox/node-pre-gyp's changelog.

2.0.3

2.0.2

  • Support private ACL for S3 buckets #923

2.0.1

2.0.0

  • Supported Node versions are now stable versions of Node 18+. We will attempt to track the Node.js release schedule and will regularly retire support for versions that have reached EOL.
  • Fixed use of s3ForcePathStyle for installation #650
  • Upgraded to https-proxy-agent 7.0.5, nopt 8.0.0, semver 7.5.3, and tar 7.4.0
  • Replaced npmlog with consola
  • Removed rimraf and make-dir as dependencies

1.0.11

1.0.10

  • Upgraded minimist to 1.2.6 to address dependabot alert CVE-2021-44906
Commits
Maintainer changes

This version was pushed to npm by mbx-npm-03-production, a new releaser for @​mapbox/node-pre-gyp since your current version.


Updates npm from 11.16.0 to 11.18.0

Release notes

Sourced from npm's releases.

v11.18.0

11.18.0 (2026-06-29)

Features

Bug Fixes

Documentation

Dependencies

Chores

arborist: 9.9.0

9.9.0 (2026-06-29)

Features

Bug Fixes

... (truncated)

Changelog

Sourced from npm's changelog.

11.18.0 (2026-06-29)

Features

Bug Fixes

Documentation

Dependencies

Chores

11.17.0 (2026-06-11)

Features

Bug Fixes

... (truncated)

Commits
  • a9c8c06 chore: release 11.18.0
  • f79b37f chore: dev dependency updates
  • 54656b6 deps: undici@6.27.0
  • 31c4773 deps: brace-expansion@5.0.7
  • e773c77 deps: tar@7.5.19
  • f05f6af deps: semver@7.8.5
  • 3021ad6 feat(arborist): extend replace-registry-host with URL prefix matching (#6110)...
  • 598ffdb fix(sbom): percent-encode vcs_url qualifier in generated purls (#9693)
  • f3f2465 fix(exec): prevent shared binPaths pollution across workspace runs (#9692)
  • 05793d0 fix: output all the required parameters for npm token list (#9691)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
Bumps [tar](https://github.com/isaacs/node-tar) to 7.5.19 and updates ancestor dependencies [tar](https://github.com/isaacs/node-tar), [@mapbox/node-pre-gyp](https://github.com/mapbox/node-pre-gyp) and [npm](https://github.com/npm/cli). These dependencies need to be updated together.


Updates `tar` from 6.2.1 to 7.5.19
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v6.2.1...v7.5.19)

Updates `@mapbox/node-pre-gyp` from 1.0.9 to 2.0.3
- [Release notes](https://github.com/mapbox/node-pre-gyp/releases)
- [Changelog](https://github.com/mapbox/node-pre-gyp/blob/master/CHANGELOG.md)
- [Commits](mapbox/node-pre-gyp@v1.0.9...v2.0.3)

Updates `npm` from 11.16.0 to 11.18.0
- [Release notes](https://github.com/npm/cli/releases)
- [Changelog](https://github.com/npm/cli/blob/v11.18.0/CHANGELOG.md)
- [Commits](npm/cli@v11.16.0...v11.18.0)

---
updated-dependencies:
- dependency-name: "@mapbox/node-pre-gyp"
  dependency-version: 2.0.3
  dependency-type: direct:development
- dependency-name: npm
  dependency-version: 11.17.0
  dependency-type: indirect
- dependency-name: tar
  dependency-version: 7.5.16
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-5deef68cca branch from c853aa5 to f025b58 Compare July 9, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants