Skip to content

refactor: Bump tar and npm#897

Merged
mtrezza merged 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-8b4e18c3c0
Jul 13, 2026
Merged

refactor: Bump tar and npm#897
mtrezza merged 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-8b4e18c3c0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps tar and npm. These dependencies needed to be updated together.
Updates tar from 7.5.13 to 7.5.20

Commits

Updates npm from 11.12.1 to 11.18.0

Release notes

Sourced from npm's releases.

v11.18.0

11.18.0 (2026-06-29)

Features

Bug Fixes

Documentation

Dependencies

Chores

arborist: 9.9.0

9.9.0 (2026-06-29)

Features

Bug Fixes

... (truncated)

Changelog

Sourced from npm's changelog.

11.18.0 (2026-06-29)

Features

Bug Fixes

Documentation

Dependencies

Chores

11.17.0 (2026-06-11)

Features

Bug Fixes

... (truncated)

Commits
  • a9c8c06 chore: release 11.18.0
  • f79b37f chore: dev dependency updates
  • 54656b6 deps: undici@6.27.0
  • 31c4773 deps: brace-expansion@5.0.7
  • e773c77 deps: tar@7.5.19
  • f05f6af deps: semver@7.8.5
  • 3021ad6 feat(arborist): extend replace-registry-host with URL prefix matching (#6110)...
  • 598ffdb fix(sbom): percent-encode vcs_url qualifier in generated purls (#9693)
  • f3f2465 fix(exec): prevent shared binPaths pollution across workspace runs (#9692)
  • 05793d0 fix: output all the required parameters for npm token list (#9691)
  • Additional commits viewable in compare view

Summary by CodeRabbit

  • Chores
    • Updated the bundled npm tooling and related packages to newer versions.
    • Refreshed package integrity and resolution data for improved dependency consistency.
    • Updated the top-level archive utility package.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 23, 2026
@mtrezza

mtrezza commented Jul 13, 2026

Copy link
Copy Markdown
Member

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

Bumps [tar](https://github.com/isaacs/node-tar) and [npm](https://github.com/npm/cli). These dependencies needed to be updated together.

Updates `tar` from 7.5.13 to 7.5.20
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.13...v7.5.20)

Updates `npm` from 11.12.1 to 11.18.0
- [Release notes](https://github.com/npm/cli/releases)
- [Changelog](https://github.com/npm/cli/blob/v11.18.0/CHANGELOG.md)
- [Commits](npm/cli@v11.12.1...v11.18.0)

---
updated-dependencies:
- dependency-name: npm
  dependency-version: 11.17.0
  dependency-type: indirect
- dependency-name: tar
  dependency-version: 7.5.16
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-8b4e18c3c0 branch from 5a69d18 to 5c230a6 Compare July 13, 2026 02:12
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1996215f-6adb-4fc6-abc5-7e9f5ff92161

📥 Commits

Reviewing files that changed from the base of the PR and between f7f540a and 5c230a6.

📒 Files selected for processing (1)
  • package-lock.json

📝 Walkthrough

Walkthrough

The lockfile updates npm from 11.12.1 to 11.18.0, refreshes its bundled dependency tree, and bumps top-level tar from 7.5.13 to 7.5.20.

Changes

npm lockfile refresh

Layer / File(s) Summary
npm and tar metadata
package-lock.json
Updates locked npm metadata to 11.18.0 and top-level tar metadata to 7.5.20.
Bundled dependency graph
package-lock.json
Refreshes npm’s dependency requirements and bundled versions across npmcli, libnpm, sigstore, node-gyp, pacote, semver, tar, undici, and related packages.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 7
✅ Passed checks (7 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the required prefix and clearly summarizes the dependency bump.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed Lockfile-only update; tar 7.5.20 and npm 11.18.0 are above the affected GitHub advisory ranges, and no source code changed.
Engage In Review Feedback ✅ Passed No substantive review feedback is evident in the PR context; the lockfile-only bump shows nothing indicating ignored or prematurely resolved threads.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dependabot/npm_and_yarn/multi-8b4e18c3c0

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@mtrezza

mtrezza commented Jul 13, 2026

Copy link
Copy Markdown
Member

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@mtrezza
mtrezza merged commit ce2de2c into master Jul 13, 2026
4 checks passed
@mtrezza
mtrezza deleted the dependabot/npm_and_yarn/multi-8b4e18c3c0 branch July 13, 2026 02:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant