Bump tar dependency from 6.1.15 to 7.x in @mintlify/previewing (security)

[ewenneborg]

Summary

@mintlify/previewing@4.0.1083 (latest) still depends on tar@6.1.15, which is deprecated and has three open high-severity CVEs:

• CVE-2026-24842 (CVSS 8.2) — hardlink path traversal
• CVE-2026-23745 — hardlink/symlink path traversal via mismatched path resolution
• CVE-2026-23950 — race condition in path reservations on macOS APFS

These show up as Dependabot alerts for any project that depends on mint / @mintlify/cli.

Why a simple pnpm/npm override doesn't work today

tar@7.x is ESM-only and removed the default export. dist/local-preview/client.js and dist/__tests__/downloadTargetMint.test.js use:

    import tar from 'tar';
    tar.x({ sync: true, file: TAR_PATH, cwd: DOT_MINTLIFY, ... });

Against tar v7 this throws SyntaxError: The requested module 'tar' does not provide an export named 'default'. Consumers therefore can't fix the CVEs themselves with an override — they have to ship a patch.

Suggested fix

Bump tar to ^7.5.11 in @mintlify/previewing and change the two import sites from default to namespace import:

    -import tar from 'tar';
    +import * as tar from 'tar';

The tar.x({ sync, file, cwd, onwarn }) call signature is unchanged between v6 and v7, so no other code needs to move. Mintlify CLI already requires Node ≥18, which satisfies tar v7's engines field.

Environment

• @mintlify/previewing 4.0.800 (also reproduces against latest 4.0.1083 by inspection)
• Node 24
• pnpm 10.28.2