Updated tar and node-gyp versions to the higher versions

[igeto]

---

Summary

• Bump tar from ^6.1.11 to ^6.2.1 to address CVE-2024-28863
• Bump node-gyp from 8.x to 10.x in peer and optional dependencies

Security Fix

This PR addresses CVE-2024-28863, a denial of service vulnerability in node-tar with a CVSS 3.1 score of 6.5 (Medium).

The vulnerability allows an attacker to craft a malicious tar archive with excessively deep folder hierarchies. When extracted, this can cause uncontrolled resource consumption leading to memory exhaustion and Node.js
process crashes.

Reference: https://nvd.nist.gov/vuln/detail/cve-2024-28863

The fix is included in tar v6.2.1, which prevents extraction in excessively deep subdirectories.

Compatibility

Both updated dependencies maintain compatibility with Node.js 16 and later:

• tar@^6.2.1 supports Node.js 14+
• node-gyp@10.x supports Node.js 16+

---

Note

Low Risk
Dependency-only change; main risk is build/install compatibility on environments that still rely on older node-gyp, but no runtime code paths change.

Overview
Updates dependency versions in package.json: bumps tar to ^6.2.1 and raises node-gyp from 8.x to 10.x for both peerDependencies and optionalDependencies (impacting the build toolchain used for native rebuilds).

^{Written by Cursor Bugbot for commit 6fef12f. This will update automatically on new commits. Configure here.}

[coderabbitai]

Walkthrough

This pull request updates dependency versions in package.json. The tar dependency is upgraded from ^6.1.11 to ^6.2.1. Additionally, node-gyp is upgraded from 8.x to 10.x in both the peerDependencies and optionalDependencies sections. The changes consist of three version declarations across these dependency fields with no functional or structural modifications to the project.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: updating tar and node-gyp versions to higher versions, matching the core changeset.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, providing security context, compatibility notes, and detailed rationale for the updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sam-super]

6.2.1 has vulns now:

GHSA-34x7-hfp2-rc4v
GHSA-83g3-92jg-28cx
GHSA-r6q2-hw4h-h46w
GHSA-8qq5-rm4j-mr97

might be worth bumping to 7.5.8