Conversation
|
💬 Discussion in Slack: #pr-review-cli-219-chore-updated-tar-to-new-version Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward tar v6 → v7 bump; the npm wrapper's usage remains supported and the package still ships CommonJS.
Extended reasoning...
Overview
This PR bumps tar from ^6.2.0 to ^7.5.13 in the npm wrapper (npm/package.json and the regenerated npm/package-lock.json). The wrapper script (npm/src/index.cjs) uses tar only at one site — tar.x({ C: ..., filter: ... }) — to extract the downloaded CLI tarball during preinstall.
Security risks
None introduced. This is a forward upgrade of a well-known, widely-used package; it pulls in updated transitive deps (@isaacs/fs-minipass, chownr 3, minipass 7, minizlib 3, yallist 5) and removes the older mkdirp dependency. Lockfile integrity hashes are present.
Level of scrutiny
Low. Two-file change limited to dependency metadata, with a single, simple consumer of the tar API. The streaming extract usage (stream.pipe(zlib.createGunzip()).pipe(tar.x(...))) and the C/filter options remain part of tar v7's public API. tar v7 ships dual CJS/ESM (require/import exports), so the require("tar") call continues to work.
Other factors
The engine requirement rises to Node ≥18 (from ≥10) across the new dependency tree, which is acceptable given Node 16 is EOL. No code changes were needed alongside the bump, which is consistent with the API still matching the existing call site.
2 participants
Description 📣
This PR updates the tar package to second latest version.
Type ✨
Tests 🛠️
# Here's some code block to paste some code snippets