[Snyk] Security upgrade tar from 6.2.0 to 7.5.4

[maidul98]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• npm/package.json
• npm/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Improper Handling of Unicode Encoding SNYK-JS-TAR-15038581	713

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[greptile-apps]

Greptile Summary

This PR upgrades the tar package from v6.2.0 to v7.5.4 to address a medium-severity security vulnerability (SNYK-JS-TAR-15038581: Improper Handling of Unicode Encoding, score 713/1000). The upgrade is automatically generated by Snyk.

Key changes:

• Updates tar dependency with caret range ^7.5.4 in package.json
• Updates lockfile with new dependency tree including updated minipass (v7.1.2), minizlib (v3.1.0), chownr (v3.0.0), and new @isaacs/fs-minipass (v4.0.1)
• The tar.x() API used in npm/src/index.cjs:150 remains compatible with v7

Potential breaking change: The tar v7 package requires Node.js >=18 (up from >=10 in v6). This is a breaking change if any users install this package in environments with Node.js <18. Your CI workflow uses Node 20, which is compatible.

Confidence Score: 4/5

• This PR is safe to merge with one minor consideration about Node.js version requirements
• The security upgrade fixes a documented vulnerability and the tar API usage in the codebase (tar.x()) remains compatible with v7. The main consideration is the Node.js version requirement increase from >=10 to >=18, which could affect users in older environments, but the project's CI already uses Node 20
• No files require special attention - this is a straightforward dependency security upgrade

Important Files Changed

Filename	Overview
npm/package.json	Updates tar dependency from ^6.2.0 to ^7.5.4 to fix security vulnerability SNYK-JS-TAR-15038581
npm/package-lock.json	Updates lockfile with tar v7.5.4 and its dependencies, including updated minipass, minizlib, chownr, and new @isaacs/fs-minipass

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: The tar package upgrade from v6 to v7 requires Node.js >=18 (previously >=10). Check that all environments where this npm package is installed meet this requirement. Your CI uses Node 20 (/github/infisical/cli/.github/workflows/release_build_infisical_cli.yml:60), which is compatible.