chore(deps): bump tar, @npmcli/run-script, cacache, make-fetch-happen, node-gyp, npm-profile, npm-registry-fetch and pacote

[dependabot]

Bumps tar, @npmcli/run-script, cacache, make-fetch-happen, node-gyp, npm-profile, npm-registry-fetch and pacote. These dependencies needed to be updated together.
Updates tar from 6.1.11 to 7.5.7

Release notes

Sourced from tar's releases.

v6.1.13

6.1.13 (2022-12-07)

Dependencies

• cc4e0dd #343 bump minipass from 3.3.6 to 4.0.0

v6.1.12

6.1.12 (2022-10-31)

Bug Fixes

• 57493ee #332 ensuring close event is emited after stream has ended (@​webark)
• b003c64 #314 replace deprecated String.prototype.substr() (#314) (@​CommanderRoot, @​lukekarrys)

Documentation

• f129929 #313 remove dead link to benchmarks (#313) (@​yetzt)
• c1faa9f add examples/explanation of using tar.t (@​isaacs)

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• e9a1ddb fix: do not prevent valid linkpaths within archive
• 911c886 7.5.4
• 3b1abfa normalize out unicode ligatures
• a43478c remove some unused files
• 970c58f update deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Updates @npmcli/run-script from 4.2.0 to 10.0.3

Release notes

Sourced from @​npmcli/run-script's releases.

v10.0.3

10.0.3 (2025-11-13)

Dependencies

• 5d563f2 #253 bump node-gyp from 11.5.0 to 12.1.0 (#253) (@​dependabot[bot])
• 870617f #252 bump which from 5.0.0 to 6.0.0 (#252) (@​dependabot[bot])

Chores

• 459b0d4 #250 bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#250) (@​dependabot[bot], @​npm-cli-bot)

v10.0.2

10.0.2 (2025-10-24)

Dependencies

• 1709ff7 #247 bump @​npmcli/promise-spawn from 8.0.3 to 9.0.0 (#247) (@​dependabot[bot])

Chores

• 1ae56c0 #248 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#248) (@​dependabot[bot])

v10.0.1

10.0.1 (2025-10-23)

Dependencies

• 796de97 #245 bump @​npmcli/node-gyp from 4.0.0 to 5.0.0 (#245) (@​dependabot[bot])
• a35bc34 #244 bump proc-log from 5.0.0 to 6.0.0 (#244) (@​dependabot[bot])

Chores

• 7ce2c09 #243 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#243) (@​dependabot[bot], @​npm-cli-bot)

v10.0.0

10.0.0 (2025-09-02)

⚠️ BREAKING CHANGES

• run-script now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• e0eea71 #239 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• fb8aed9 #239 @npmcli/package-json@7.0.0

Chores

• 795e49e #234 postinstall workflow updates (#234) (@​owlstronaut)
• 0d78e0c #236 bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#236) (@​dependabot[bot], @​npm-cli-bot)

v9.1.0

9.1.0 (2025-03-07)

Features

• 21694f2 #230 use nodeGyp option (#230) (@​wraithgar, @​legobeat)

Chores

• fea1ba3 #229 bump @​npmcli/template-oss from 4.23.4 to 4.23.5 (#229) (@​dependabot[bot], @​npm-cli-bot)

v9.0.2

9.0.2 (2024-12-04)

Dependencies

• 74f7e7a #227 node-gyp@11.0.0 (#227)

Chores

• 2107147 #226 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#226) (@​dependabot[bot], @​npm-cli-bot)

v9.0.1

... (truncated)

Changelog

Sourced from @​npmcli/run-script's changelog.

10.0.3 (2025-11-13)

Dependencies

• 5d563f2 #253 bump node-gyp from 11.5.0 to 12.1.0 (#253) (@​dependabot[bot])
• 870617f #252 bump which from 5.0.0 to 6.0.0 (#252) (@​dependabot[bot])

Chores

• 459b0d4 #250 bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#250) (@​dependabot[bot], @​npm-cli-bot)

10.0.2 (2025-10-24)

Dependencies

• 1709ff7 #247 bump @​npmcli/promise-spawn from 8.0.3 to 9.0.0 (#247) (@​dependabot[bot])

Chores

• 1ae56c0 #248 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#248) (@​dependabot[bot])

10.0.1 (2025-10-23)

Dependencies

• 796de97 #245 bump @​npmcli/node-gyp from 4.0.0 to 5.0.0 (#245) (@​dependabot[bot])
• a35bc34 #244 bump proc-log from 5.0.0 to 6.0.0 (#244) (@​dependabot[bot])

Chores

• 7ce2c09 #243 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#243) (@​dependabot[bot], @​npm-cli-bot)

10.0.0 (2025-09-02)

⚠️ BREAKING CHANGES

• run-script now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• e0eea71 #239 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• fb8aed9 #239 @npmcli/package-json@7.0.0

Chores

• 795e49e #234 postinstall workflow updates (#234) (@​owlstronaut)
• 0d78e0c #236 bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#236) (@​dependabot[bot], @​npm-cli-bot)

9.1.0 (2025-03-07)

Features

• 21694f2 #230 use nodeGyp option (#230) (@​wraithgar, @​legobeat)

Chores

• fea1ba3 #229 bump @​npmcli/template-oss from 4.23.4 to 4.23.5 (#229) (@​dependabot[bot], @​npm-cli-bot)

9.0.2 (2024-12-04)

Dependencies

• 74f7e7a #227 node-gyp@11.0.0 (#227)

Chores

• 2107147 #226 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#226) (@​dependabot[bot], @​npm-cli-bot)

9.0.1 (2024-10-02)

Dependencies

• f0e3923 #223 bump which@5.0.0
• 1dabced #223 bump @npmcli/package-json@6.0.0

9.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

... (truncated)

Commits

• 9c30731 chore: release 10.0.3 (#254)
• 5d563f2 deps: bump node-gyp from 11.5.0 to 12.1.0 (#253)
• 870617f deps: bump which from 5.0.0 to 6.0.0 (#252)
• 459b0d4 chore: bump @​npmcli/template-oss from 4.27.1 to 4.28.0 (#250)
• 5f31cda chore: release 10.0.2 (#249)
• 1709ff7 deps: bump @​npmcli/promise-spawn from 8.0.3 to 9.0.0 (#247)
• 1ae56c0 chore: bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#248)
• 7eeaaff chore: release 10.0.1 (#246)
• 796de97 deps: bump @​npmcli/node-gyp from 4.0.0 to 5.0.0 (#245)
• a35bc34 deps: bump proc-log from 5.0.0 to 6.0.0 (#244)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​npmcli/run-script since your current version.

Updates cacache from 16.1.1 to 20.0.3

Release notes

Sourced from cacache's releases.

v20.0.3

20.0.3 (2025-11-19)

Dependencies

• f3a2cdd #322 bump glob from 11.1.0 to 13.0.0 (#322) (@​dependabot[bot])
• 6f96e0f #319 bump @​npmcli/fs from 4.0.0 to 5.0.0 (#319) (@​dependabot[bot])
• 49565c9 #320 bump unique-filename from 4.0.0 to 5.0.0 (#320) (@​dependabot[bot])

Chores

• f813148 #321 bump @​npmcli/eslint-config from 5.1.0 to 6.0.1 (#321) (@​dependabot[bot])
• 57fc04f #323 bump @​npmcli/template-oss from 4.25.0 to 4.28.0 (#323) (@​dependabot[bot], @​npm-cli-bot)

v20.0.2

20.0.2 (2025-11-17)

Dependencies

• 79d843c #316 ssri@13.0.0 (#316)

v20.0.1

20.0.1 (2025-08-18)

Dependencies

• b237808 #314 remove tar (#314)

v20.0.0

20.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• cacache now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• de558cb #310 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• 7d2cfd1 #310 @npmcli/template-oss@4.25.0
• caf9538 #310 lru-cache@11.1.0
• bdc28cf #310 glob@11.0.3

Chores

• 7d005df #310 template-oss apply fix (@​owlstronaut)
• 49e75b8 #304 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#304) (@​dependabot[bot], @​npm-cli-bot)

v19.0.1

19.0.1 (2024-09-26)

Dependencies

• e56c7fc #302 update p-map from ^4.0.0 to ^7.0.2 (#302)

v19.0.0

19.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

• cacache now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• cc9eee3 #300 align to npm 10 node engine range (@​reggi)

Dependencies

• beaab7c #291 bump tar from 6.2.1 to 7.4.3 (#291)
• 81b6e34 #300 unique-filename@4.0.0
• dcab1af #300 ssri@12.0.0
• ba3a3b8 #300 @npmcli/fs@4.0.0

... (truncated)

Changelog

Sourced from cacache's changelog.

20.0.3 (2025-11-19)

Dependencies

• f3a2cdd #322 bump glob from 11.1.0 to 13.0.0 (#322) (@​dependabot[bot])
• 6f96e0f #319 bump @​npmcli/fs from 4.0.0 to 5.0.0 (#319) (@​dependabot[bot])
• 49565c9 #320 bump unique-filename from 4.0.0 to 5.0.0 (#320) (@​dependabot[bot])

Chores

• f813148 #321 bump @​npmcli/eslint-config from 5.1.0 to 6.0.1 (#321) (@​dependabot[bot])
• 57fc04f #323 bump @​npmcli/template-oss from 4.25.0 to 4.28.0 (#323) (@​dependabot[bot], @​npm-cli-bot)

20.0.2 (2025-11-17)

Dependencies

• 79d843c #316 ssri@13.0.0 (#316)

20.0.1 (2025-08-18)

Dependencies

• b237808 #314 remove tar (#314)

20.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• cacache now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• de558cb #310 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• 7d2cfd1 #310 @npmcli/template-oss@4.25.0
• caf9538 #310 lru-cache@11.1.0
• bdc28cf #310 glob@11.0.3

Chores

• 7d005df #310 template-oss apply fix (@​owlstronaut)
• 49e75b8 #304 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#304) (@​dependabot[bot], @​npm-cli-bot)

19.0.1 (2024-09-26)

Dependencies

• e56c7fc #302 update p-map from ^4.0.0 to ^7.0.2 (#302)

19.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

• cacache now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• cc9eee3 #300 align to npm 10 node engine range (@​reggi)

Dependencies

• beaab7c #291 bump tar from 6.2.1 to 7.4.3 (#291)
• 81b6e34 #300 unique-filename@4.0.0
• dcab1af #300 ssri@12.0.0
• ba3a3b8 #300 @npmcli/fs@4.0.0

Chores

• 73ce729 #300 run template-oss-apply (@​reggi)
• f663562 #294 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 74ac800 #295 postinstall for dependabot template-oss PR (@​hashtagchris)
• ae95894 #295 bump @​npmcli/template-oss from 4.23.1 to 4.23.3 (@​dependabot[bot])

... (truncated)

Commits

• 12ca70c chore: release 20.0.3 (#324)
• 57fc04f chore: bump @​npmcli/template-oss from 4.25.0 to 4.28.0 (#323)
• f3a2cdd deps: bump glob from 11.1.0 to 13.0.0 (#322)
• 6f96e0f deps: bump @​npmcli/fs from 4.0.0 to 5.0.0 (#319)
• 49565c9 deps: bump unique-filename from 4.0.0 to 5.0.0 (#320)
• f813148 chore: bump @​npmcli/eslint-config from 5.1.0 to 6.0.1 (#321)
• 450cfc3 chore: release 20.0.2 (#317)
• 79d843c deps: ssri@13.0.0 (#316)
• bb9b0b0 chore: release 20.0.1 (#315)
• b237808 deps: remove tar (#314)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for cacache since your current version.

Updates make-fetch-happen from 10.2.0 to 15.0.3

Release notes

Sourced from make-fetch-happen's releases.

v15.0.3

15.0.3 (2025-11-13)

Dependencies

• 8e31112 #337 minipass-fetch@5.0.0
• c4b22e3 #337 ssri@13.0.0
• 3fe68b2 #337 proc-log@6.0.0

v15.0.2

15.0.2 (2025-09-18)

Dependencies

• dfced01 #335 @npmcli/agent@4.0.0

v15.0.1

15.0.1 (2025-08-19)

Dependencies

• 852a0d3 #333 cacache@20.0.1

v15.0.0

15.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• make-fetch-happen now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• 070a458 #331 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• 2eb291c #331 cacache@20.0.0
• 0ff7492 #331 @npmcli/template-oss@4.25.0

Chores

• 525c84c #331 template-oss apply fix (@​owlstronaut)
• a00560d #330 bump @​npmcli/template-oss from 4.23.4 to 4.24.3 (#330) (@​owlstronaut)

v14.0.3

14.0.3 (2024-10-21)

Bug Fixes

• 3e0fe87 #316 stop ignoring NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined (#316) (@​brunoargolo, Bruno Oliveira)

Dependencies

• 05fbcc3 #327 bump negotiator from 0.6.4 to 1.0.0 (#327) (@​dependabot[bot])

v14.0.2

14.0.2 (2024-10-16)

Bug Fixes

• fa5f233 #324 don't use the request signal in the agent (#324) (@​thewilkybarkid, @​wraithgar)

Chores

• b3742c5 #323 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#323) (@​dependabot[bot], @​npm-cli-bot)

v14.0.1

14.0.1 (2024-10-02)

Dependencies

• 5eae0b6 #321 bump cacache@19.0.1

v14.0.0

... (truncated)

Changelog

Sourced from make-fetch-happen's changelog.

15.0.3 (2025-11-13)

Dependencies

• 8e31112 #337 minipass-fetch@5.0.0
• c4b22e3 #337 ssri@13.0.0
• 3fe68b2 #337 proc-log@6.0.0

15.0.2 (2025-09-18)

Dependencies

• dfced01 #335 @npmcli/agent@4.0.0

15.0.1 (2025-08-19)

Dependencies

• 852a0d3 #333 cacache@20.0.1

15.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• make-fetch-happen now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• 070a458 #331 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• 2eb291c #331 cacache@20.0.0
• 0ff7492 #331 @npmcli/template-oss@4.25.0

Chores

• 525c84c #331 template-oss apply fix (@​owlstronaut)
• a00560d #330 bump @​npmcli/template-oss from 4.23.4 to 4.24.3 (#330) (@​owlstronaut)

14.0.3 (2024-10-21)

Bug Fixes

• 3e0fe87 #316 stop ignoring NODE_TLS_REJECT_UNAUTHORIZED when strictSSL is not defined (#316) (@​brunoargolo, Bruno Oliveira)

Dependencies

• 05fbcc3 #327 bump negotiator from 0.6.4 to 1.0.0 (#327) (@​dependabot[bot])

14.0.2 (2024-10-16)

Bug Fixes

• fa5f233 #324 don't use the request signal in the agent (#324) (@​thewilkybarkid, @​wraithgar)

Chores

• b3742c5 #323 bump @​npmcli/template-oss from 4.23.3 to 4.23.4 (#323) (@​dependabot[bot], @​npm-cli-bot)

14.0.1 (2024-10-02)

Dependencies

• 5eae0b6 #321 bump cacache@19.0.1

14.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

• make-fetch-happen now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• a1beba7 #318 align to npm 10 node engine range (@​reggi)

Dependencies

• aa5d07a #318 ssri@12.0.0
• 0113d1f #318 proc-log@5.0.0

... (truncated)

Commits

• 159464a chore: release 15.0.3 (#338)
• 8e31112 deps: minipass-fetch@5.0.0
• c4b22e3 deps: ssri@13.0.0
• 3fe68b2 deps: proc-log@6.0.0
• 7fdd0a2 chore: release 15.0.2 (#336)
• dfced01 deps: @​npmcli/agent@​4.0.0
• 9473230 chore: release 15.0.1 (#334)
• 852a0d3 deps: cacache@20.0.1
• 088b79d chore: release 15.0.0 (#332)
• 2eb291c deps: cacache@20.0.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for make-fetch-happen since your current version.

Updates node-gyp from 9.0.0 to 12.2.0

Release notes

Sourced from node-gyp's releases.

v12.2.0

12.2.0 (2026-01-26)

Features

• include built package version in error logs (#3254) (ee9cbdd)
• update gyp-next to v0.21.1 (#3273) (888ff2c)

Bug Fixes

• cpu concurrency detection on some platforms (#3255) (f15b79a), closes #3191
• python is no longer a valid npm config setting (#3258) (c7c678f)
• Switch to URL instead of url.parse (#3256) (3f81949)
• Test Windows on Python 3.14, not 3.13 (#3262) (7b4f315)

Core

• deps: bump actions/checkout from 5 to 6 (#3248) (db5385c)

Doc

• add a note about changes in gyp folder (#3259) (a52bc81)
• correct typos (#3269) (0f2bc7d)
• remove obsolete Microsoft Node.js Guidelines link (#3268) (30cda26)
• update Python manual install instructions for Windows (#3265) (0407877)

Miscellaneous

• deps: upgrade tar to 7.5.4 to address CVE-2026-23950 (#3271) (7bf371c)

v12.1.0

12.1.0 (2025-11-12)

Features

• Add support for Visual Studio 2026 (18.x) (69e5fd2)
• Support for Visual Studio 2026 (18.x) (69e5fd2)

v12.0.0

12.0.0 (2025-11-10)

⚠ BREAKING CHANGES

... (truncated)

Changelog

Sourced from node-gyp's changelog.

12.2.0 (2026-01-26)Description has been truncated

[changeset-bot]

⚠️ No Changeset found

Latest commit: 34f4100

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR