Bump tar from 7.4.3 to 7.5.19

[dependabot]

Bumps tar from 7.4.3 to 7.5.19.

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• be440da 7.5.19
• 2812e93 add maxDecompressionRatio guard against explosive decompression
• 9ecd4d2 7.5.18
• 9e78bf0 refuse to let header size be less than 0
• e02a4e9 pax: parse values according to known types
• 9cbdb31 7.5.17
• 7a635c2 terminate pax strings on nul bytes
• cf21338 7.5.16
• 21a8220 do not apply PAX header fields to meta entries
• 52632cf update project deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

---

Note

Low Risk
Lockfile-only transitive dependency bump with security-focused tar fixes; no application code changes, though install-time behavior may differ if tar’s prepare script runs.

Overview
Dependency update: package-lock.json pins tar from 7.4.3 to 7.5.19 and minizlib from 3.0.2 to 3.1.0. tar appears as a transitive dependency (e.g. under @expo/cli); there are no direct app imports of tar.

The newer tar release line adds hardening relevant to archive handling—e.g. maxDecompressionRatio against explosive decompression, stricter PAX/header parsing, linkpath sanitization, and related listing/extraction fixes—plus optional zstd support. The lockfile also drops a nested mkdirp entry under tar as dependency layout changed in the new version.

^{Reviewed by Cursor Bugbot for commit a56f4c2. Bugbot is set up for automated code reviews on this repo. Configure here.}