From 977360e35137ccdd26bb8da8b53f81c4b60720d1 Mon Sep 17 00:00:00 2001
From: David Grunzweig <dggrunzweig@gmail.com>
Date: Mon, 2 Feb 2026 10:03:43 -0800
Subject: [PATCH] Fix Dependabot security alert for tar

Update tar resolution to 7.5.7 (high: arbitrary file creation via hardlink path traversal)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 package.json | 2 +-
 yarn.lock    | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index 8c6705a..2c36046 100644
--- a/package.json
+++ b/package.json
@@ -30,7 +30,7 @@
     "vite": "6.4.1",
     "@babel/runtime": "7.27.1",
     "@babel/helpers": "7.27.1",
-    "tar": "7.5.4",
+    "tar": "7.5.7",
     "qs": "6.14.1",
     "brace-expansion@^1.1.7": "1.1.12",
     "brace-expansion@^2.0.1": "2.0.2"
diff --git a/yarn.lock b/yarn.lock
index ae7d1b4..d969c76 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8587,16 +8587,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"tar@npm:7.5.4":
-  version: 7.5.4
-  resolution: "tar@npm:7.5.4"
+"tar@npm:7.5.7":
+  version: 7.5.7
+  resolution: "tar@npm:7.5.7"
   dependencies:
     "@isaacs/fs-minipass": "npm:^4.0.0"
     chownr: "npm:^3.0.0"
     minipass: "npm:^7.1.2"
     minizlib: "npm:^3.1.0"
     yallist: "npm:^5.0.0"
-  checksum: 10c0/9e744b10a32cea651430ec541ec9326d5d4b09381ab4cecf152f9a35069528510c55517fc70d2996c3d07b16370c66205f1b52dd260b6cd1d1dfbc8940050920
+  checksum: 10c0/51f261afc437e1112c3e7919478d6176ea83f7f7727864d8c2cce10f0b03a631d1911644a567348c3063c45abdae39718ba97abb073d22aa3538b9a53ae1e31c
   languageName: node
   linkType: hard