From 531360ce788638aeb8290740620fc60617a27801 Mon Sep 17 00:00:00 2001
From: David Grunzweig <dggrunzweig@gmail.com>
Date: Thu, 19 Feb 2026 14:37:42 -0500
Subject: [PATCH] Fix Dependabot alert #54: bump tar resolution to 7.5.8

Resolves high-severity arbitrary file read/write vulnerability
(hardlink target escape through symlink chain) in node-tar.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json | 2 +-
 yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 196c21d..e4318ae 100644
--- a/package.json
+++ b/package.json
@@ -30,7 +30,7 @@
     "vite": "6.4.1",
     "@babel/runtime": "7.27.1",
     "@babel/helpers": "7.27.1",
-    "tar": "7.5.7",
+    "tar": "7.5.8",
     "qs": "6.14.2",
     "brace-expansion@^1.1.7": "1.1.12",
     "brace-expansion@^2.0.1": "2.0.2"
diff --git a/yarn.lock b/yarn.lock
index 1e996ca..be7ec18 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8587,16 +8587,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar@npm:7.5.7":
-  version: 7.5.7
-  resolution: "tar@npm:7.5.7"
+"tar@npm:7.5.8":
+  version: 7.5.8
+  resolution: "tar@npm:7.5.8"
   dependencies:
     "@isaacs/fs-minipass": "npm:^4.0.0"
     chownr: "npm:^3.0.0"
     minipass: "npm:^7.1.2"
     minizlib: "npm:^3.1.0"
     yallist: "npm:^5.0.0"
-  checksum: 10c0/51f261afc437e1112c3e7919478d6176ea83f7f7727864d8c2cce10f0b03a631d1911644a567348c3063c45abdae39718ba97abb073d22aa3538b9a53ae1e31c
+  checksum: 10c0/8569db1b49f5d72084cbdcad9d2b39fcc115993186455aa052c1da0a2739b20e2d94af6a23609fc25d3ae63c9fed8b159f3b1d16b699e9ef25e3b8464603d153
   languageName: node
   linkType: hard