chore(deps): bump tar and ls-engines

[dependabot]

Bumps tar to 7.5.16 and updates ancestor dependency ls-engines. These dependencies need to be updated together.

Updates tar from 6.2.1 to 7.5.16

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• cf21338 7.5.16
• 21a8220 do not apply PAX header fields to meta entries
• 52632cf update project deps
• 302f51f fix inconsequential typo in PENDINGLINKS symbol name
• 55dbb99 remove some uses of mutate-fs
• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates ls-engines from 0.9.4 to 0.10.0

Changelog

Sourced from ls-engines's changelog.

v0.10.0 - 2025-12-22

Commits

• [Dev Deps] update eslint, @ljharb/eslint-config 9bdfde1
• [Refactor] switch from yargs to pargs 52031da
• [Refactor] extract fulfilled result processing into separate module 6621295
• [Deps] remove unused and no-longer-needed deps 04c90fb
• [Refactor] use util.styleText instead of colors b77a164
• [Tests] add regression test for --save flag modifying package.json fb74dd9
• [Refactor] convert CLI entrypoint to ESM f5f4084
• [Breaking] require node 22 9d4fbbc
• [Fix] correctly extract save function from fulfilled result value 4d04d3c
• [Deps] update @npmcli/arborist, json-file-plus, pacote a6f1e0e
• [Dev Deps] update nyc 1569183
• [Dev Deps] update npmignore b1342bb
• [Deps] update json-file-plus fa28493
• [Deps] update get-dep-tree 53f3cfa
• [Dev Deps] update @ljharb/eslint-config db2c528

Commits

• 8524cce v0.10.0
• 1569183 [Dev Deps] update nyc
• b1342bb [Dev Deps] update npmignore
• 6621295 [Refactor] extract fulfilled result processing into separate module
• 4d04d3c [Fix] correctly extract save function from fulfilled result value
• fb74dd9 [Tests] add regression test for --save flag modifying package.json
• fa28493 [Deps] update json-file-plus
• 04c90fb [Deps] remove unused and no-longer-needed deps
• 53f3cfa [Deps] update get-dep-tree
• b77a164 [Refactor] use util.styleText instead of colors
• Additional commits viewable in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	ls-engines@​0.9.4 ⏵ 0.10.0	+1		+1

View full report