Bump tar, @npmcli/arborist, npm-profile and pacote

[dependabot]

Bumps tar to 7.5.9 and updates ancestor dependencies tar, @npmcli/arborist, npm-profile and pacote. These dependencies need to be updated together.

Updates tar from 6.2.1 to 7.5.9

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• 1f0c2c9 7.5.9
• fbb0851 build minified version as default export
• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates @npmcli/arborist from 6.5.1 to 9.3.0

Release notes

Sourced from @​npmcli/arborist's releases.

arborist: v9.3.0

9.3.0 (2026-02-11)

Features

• 7c038b7 #8968 add support for git-256 sha lengths (#8968) (@​wraithgar)

arborist: v9.2.0

9.2.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

arborist: v9.1.10

9.1.10 (2026-01-21)

Dependencies

• f951820 #8919 common-ancestor-path@2.0.0

arborist: v9.1.9

9.1.9 (2025-12-09)

Bug Fixes

• 0765289 #8721 handle ENOTEMPTY errors in moveFile (@​keegancsmith)

arborist: v9.1.8

9.1.8 (2025-11-25)

Bug Fixes

• b118364 #8760 undefined override set conflicts shouldn't error (@​owlstronaut)

Dependencies

• f963223 #8770 proggy@4.0.0
• f51e4aa #8770 nopt@9.0.0
• 2d15040 #8770 @npmcli/query@5.0.0
• 58650dc #8770 @npmcli/fs@5.0.0

arborist: v9.1.7

9.1.7 (2025-11-19)

Bug Fixes

• 3225fa3 #8737 fix usage of path of custom registry (#8737) (@​flj2mu2)
• e9f0418 #8689 arborist: improve override conflict detection with semantic comparison (#8689) (@​Artur-)
• 05319f0 #8677 code cleanup (#8677) (@​wraithgar)
• 49a4eef #8676 use look behind regex for trailing slash stripping (#8676) (@​wraithgar)
• b1aee62 #8645 dep flag calculation (#8645) (@​liamcmitchell)

Dependencies

• 8cc9f70 #8723 ssri@13.0.0
• 59b3c6a #8723 @npmcli/redact@4.0.0
• 6cb77df #8723 @npmcli/installed-package-contents@4.0.0
• 05ac7a7 #8723 proc-log@6.0.0
• 0a74f6d #8723 bin-links@6.0.0
• 041b9b2 #8723 parse-conflict-json@5.0.1
• a1b0fea #8723 @npmcli/name-from-folder@4.0.0
• 3404dca #8723 npm-install-checks@8.0.0
• 542fcf3 #8723 @npmcli/node-gyp@5.0.0

arborist: v9.1.6

... (truncated)

Changelog

Sourced from @​npmcli/arborist's changelog.

9.3.0 (2026-02-11)

Features

• 7c038b7 #8968 add support for git-256 sha lengths (#8968) (@​wraithgar)

9.2.0 (2026-02-04)

Features

• f5f6cf7 #8943 config: add --allow-git (@​wraithgar)

9.1.10 (2026-01-21)

Dependencies

• f951820 #8919 common-ancestor-path@2.0.0

9.1.9 (2025-12-09)

Bug Fixes

• 0765289 #8721 handle ENOTEMPTY errors in moveFile (@​keegancsmith)

9.1.8 (2025-11-25)

Bug Fixes

• b118364 #8760 undefined override set conflicts shouldn't error (@​owlstronaut)

Dependencies

• f963223 #8770 proggy@4.0.0
• f51e4aa #8770 nopt@9.0.0
• 2d15040 #8770 @npmcli/query@5.0.0
• 58650dc #8770 @npmcli/fs@5.0.0

9.1.7 (2025-11-19)

Bug Fixes

• 3225fa3 #8737 fix usage of path of custom registry (#8737) (@​flj2mu2)
• e9f0418 #8689 arborist: improve override conflict detection with semantic comparison (#8689) (@​Artur-)
• 05319f0 #8677 code cleanup (#8677) (@​wraithgar)
• 49a4eef #8676 use look behind regex for trailing slash stripping (#8676) (@​wraithgar)
• b1aee62 #8645 dep flag calculation (#8645) (@​liamcmitchell)

Dependencies

• 8cc9f70 #8723 ssri@13.0.0
• 59b3c6a #8723 @npmcli/redact@4.0.0
• 6cb77df #8723 @npmcli/installed-package-contents@4.0.0
• 05ac7a7 #8723 proc-log@6.0.0
• 0a74f6d #8723 bin-links@6.0.0
• 041b9b2 #8723 parse-conflict-json@5.0.1
• a1b0fea #8723 @npmcli/name-from-folder@4.0.0
• 3404dca #8723 npm-install-checks@8.0.0
• 542fcf3 #8723 @npmcli/node-gyp@5.0.0

9.1.6 (2025-10-08)

Bug Fixes

• 0a8b8c2 #8621 typo bugs and other spelling fixes (#8621) (@​jsoref)
• 54fd27f #8602 refactor node.ideallyInert to node.inert (#8602) (@​liamcmitchell)
• 13d8df6 #8537 optional set calculation (#8537) (@​liamcmitchell)

Chores

• 180e9f7 #8610 fix spelling in workspaces/arborist (#8610) (@​jsoref)

... (truncated)

Commits

• 4d27592 chore: release 9.3.0
• b584af0 fix: remove unneeded param default
• 2ba1171 fix: streamline workspace loading code
• 35c94e0 chore: remove coverage map
• 2383deb fix: clean urls from arborist, owner, and ping commands (#6037)
• c52cf6b fix: properly handle directory, file, git and alias specs in overrides
• 7018b3d chore: release 9.2.0
• 599c25e chore(deps): minify-registry-metadata@3.0.0 (#5939)
• 55e8e72 chore(deps): tap@16.3.2 (#5937)
• 372d158 deps: minimatch@5.1.1 (#5935)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by reggi, a new releaser for @​npmcli/arborist since your current version.

Updates npm-profile from 9.0.2 to 12.0.1

Release notes

Sourced from npm-profile's releases.

v12.0.1

12.0.1 (2025-10-23)

Dependencies

• f147b6d #171 bump proc-log from 5.0.0 to 6.0.0 (#171) (@​dependabot[bot])

Chores

• baa7d79 #170 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#170) (@​dependabot[bot], @​npm-cli-bot)

v12.0.0

12.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• npm-profile now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• 637f654 #164 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• 7366688 #164 npm-registry-fetch@19.0.0

Chores

• 8934c09 #164 nock@13.5.6 (@​owlstronaut)
• ea70eaa #164 template-oss apply fix (@​owlstronaut)
• 2aa199f #161 postinstall workflow updates (#161) (@​owlstronaut)
• 87e427e #160 bump nock from 13.5.6 to 14.0.3 (#160) (@​dependabot[bot])
• 49ce76a #163 bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#163) (@​dependabot[bot], @​npm-cli-bot)

v11.0.1

11.0.1 (2024-10-02)

Dependencies

• 7c3c631 #155 bump npm-registry-fetch@18.0.0

v11.0.0

11.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

• npm-profile now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• a0ea10b #152 align to npm 10 node engine range (@​reggi)
• 4ea3f70 #144 exit handler error on login (#144) (@​milaninfy)

Dependencies

• 66bcc40 #152 proc-log@5.0.0

Chores

• 8ac1fdb #152 run template-oss-apply (@​reggi)
• 1fdff2e #146 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 5b3ebbc #134 bump @​npmcli/template-oss to 4.22.0 (@​lukekarrys)
• 6b4558f #147 postinstall for dependabot template-oss PR (@​hashtagchris)
• c644e89 #147 bump @​npmcli/template-oss from 4.23.1 to 4.23.3 (@​dependabot[bot])

v10.0.0

10.0.0 (2024-05-02)

⚠️ BREAKING CHANGES

• this uses AbortSignal.throwIfAborted() which is not available in all versions of Node 16
• hostname is no longer sent as part of the web auth body

... (truncated)

Changelog

Sourced from npm-profile's changelog.

12.0.1 (2025-10-23)

Dependencies

• f147b6d #171 bump proc-log from 5.0.0 to 6.0.0 (#171) (@​dependabot[bot])

Chores

• baa7d79 #170 bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#170) (@​dependabot[bot], @​npm-cli-bot)

12.0.0 (2025-07-24)

⚠️ BREAKING CHANGES

• npm-profile now supports node ^20.17.0 || >=22.9.0

Bug Fixes

• 637f654 #164 align to npm 11 node engine range (@​owlstronaut)

Dependencies

• 7366688 #164 npm-registry-fetch@19.0.0

Chores

• 8934c09 #164 nock@13.5.6 (@​owlstronaut)
• ea70eaa #164 template-oss apply fix (@​owlstronaut)
• 2aa199f #161 postinstall workflow updates (#161) (@​owlstronaut)
• 87e427e #160 bump nock from 13.5.6 to 14.0.3 (#160) (@​dependabot[bot])
• 49ce76a #163 bump @​npmcli/template-oss from 4.24.4 to 4.25.0 (#163) (@​dependabot[bot], @​npm-cli-bot)

11.0.1 (2024-10-02)

Dependencies

• 7c3c631 #155 bump npm-registry-fetch@18.0.0

11.0.0 (2024-09-26)

⚠️ BREAKING CHANGES

• npm-profile now supports node ^18.17.0 || >=20.5.0

Bug Fixes

• a0ea10b #152 align to npm 10 node engine range (@​reggi)
• 4ea3f70 #144 exit handler error on login (#144) (@​milaninfy)

Dependencies

• 66bcc40 #152 proc-log@5.0.0

Chores

• 8ac1fdb #152 run template-oss-apply (@​reggi)
• 1fdff2e #146 bump @​npmcli/eslint-config from 4.0.5 to 5.0.0 (@​dependabot[bot])
• 5b3ebbc #134 bump @​npmcli/template-oss to 4.22.0 (@​lukekarrys)
• 6b4558f #147 postinstall for dependabot template-oss PR (@​hashtagchris)
• c644e89 #147 bump @​npmcli/template-oss from 4.23.1 to 4.23.3 (@​dependabot[bot])

10.0.0 (2024-05-02)

⚠️ BREAKING CHANGES

• this uses AbortSignal.throwIfAborted() which is not available in all versions of Node 16
• hostname is no longer sent as part of the web auth body
• the opener function will now receive an object with an abort signal which can be used to listen for the abort event intead of an event emitter

Features

• f67687d #131 drop node 16 support (@​lukekarrys)

... (truncated)

Commits

• 7be7bec chore: release 12.0.1 (#172)
• f147b6d deps: bump proc-log from 5.0.0 to 6.0.0 (#171)
• baa7d79 chore: bump @​npmcli/template-oss from 4.26.0 to 4.27.1 (#170)
• 0bbb4b0 chore: bump @​npmcli/template-oss from 4.25.1 to 4.26.0 (#169)
• c26e344 chore: bump @​npmcli/template-oss from 4.25.0 to 4.25.1 (#167)
• d5e547c chore: release 12.0.0 (#165)
• 8934c09 chore: nock@13.5.6
• 7366688 deps: npm-registry-fetch@19.0.0
• ea70eaa chore: template-oss apply fix
• 637f654 fix!: align to npm 11 node engine range
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for npm-profile since your current version.

Updates pacote from 15.2.0 to 21.3.1

Release notes

Sourced from pacote's releases.

v21.3.1

21.3.1 (2026-02-10)

Bug Fixes

• 96e571a #439 ensure that resolved git ref matches expected sha (#439) (@​klassiker, pacotedev)

Chores

• 91847c4 #447 fix test for ssri ignoring invalid hashes (#447) (@​wraithgar)

v21.3.0

21.3.0 (2026-02-09)

Features

• 8f5091d #445 add support for git-256 sha lengths (#445) (@​wraithgar)

v21.2.0

21.2.0 (2026-02-06)

Features

• db21624 #442 implement gitSubdir according to npa spec (#442) (@​Kakadus)
• c2a4217 #443 add allowRemote, allowFile, allowDirectory (#443) (@​wraithgar)

v21.1.0

21.1.0 (2026-01-28)

Features

• 258e5fd #440 add allowGit option (#440) (@​wraithgar)

v21.0.4

21.0.4 (2025-11-13)

Dependencies

• edbcc02 #436 proc-log@6.0.0
• 8dc1f22 #436 @npmcli/installed-package-contents@4.0.0
• 505c3b0 #436 ssri@13.0.0
• a23fb17 #436 @npmcli/promise-spawn@9.0.0

Chores

• ff261aa #436 @npmcli/eslint-config@6.0.0 (@​wraithgar)
• 2bba862 #436 @npmcli/template-oss@4.28.0 (@​wraithgar)

v21.0.3

21.0.3 (2025-09-17)

Dependencies

• eed1bd5 #431 @npmcli/git@7.0.0 (#431)

v21.0.2

21.0.2 (2025-09-17)

Dependencies

• 32cb6d1 #429 npm-pick-manifest@11.0.1 (#429)

v21.0.1

21.0.1 (2025-09-02)

Dependencies

• aae7798 #428 @npmcli/run-script@10.0.0
• 1b233e3 #428 @npmcli/package-json@7.0.0
• d4b97ec #428 sigstore@4.0.0

... (truncated)

Changelog

Sourced from pacote's changelog.

21.3.1 (2026-02-10)

Bug Fixes

• 96e571a #439 ensure that resolved git ref matches expected sha (#439) (@​klassiker, pacotedev)

Chores

• 91847c4 #447 fix test for ssri ignoring invalid hashes (#447) (@​wraithgar)

21.3.0 (2026-02-09)

Features

• 8f5091d #445 add support for git-256 sha lengths (#445) (@​wraithgar)

21.2.0 (2026-02-06)

Features

• db21624 #442 implement gitSubdir according to npa spec (#442) (@​Kakadus)
• c2a4217 #443 add allowRemote, allowFile, allowDirectory (#443) (@​wraithgar)

21.1.0 (2026-01-28)

Features

• 258e5fd #440 add allowGit option (#440) (@​wraithgar)

21.0.4 (2025-11-13)

Dependencies

• edbcc02 #436 proc-log@6.0.0
• 8dc1f22 #436 @npmcli/installed-package-contents@4.0.0
• 505c3b0 #436 ssri@13.0.0
• a23fb17 #436 @npmcli/promise-spawn@9.0.0

Chores

• ff261aa #436 @npmcli/eslint-config@6.0.0 (@​wraithgar)
• 2bba862 #436 @npmcli/template-oss@4.28.0 (@​wraithgar)

21.0.3 (2025-09-17)

Dependencies

• eed1bd5 #431 @npmcli/git@7.0.0 (#431)

21.0.2 (2025-09-17)

Dependencies

• 32cb6d1 #429 npm-pick-manifest@11.0.1 (#429)

21.0.1 (2025-09-02)

Dependencies

• aae7798 #428 @npmcli/run-script@10.0.0
• 1b233e3 #428 @npmcli/package-json@7.0.0
• d4b97ec #428 sigstore@4.0.0
• cf27487 #428 npm-registry-fetch@19.0.0
• 3e89235 #428 npm-packlist@10.0.1
• d46fc27 #428 npm-package-arg@13.0.0
• 2a6a9f0 #428 hosted-git-info@9.0.0
• bbb72cf #428 cacache@20.0.0
• 8a642c0 #426 tar@7.4.3 (#426)

Chores

• f81d8ed #417 bump @​npmcli/arborist from 8.0.0 to 9.0.0 (#417) (@​dependabot[bot])

... (truncated)

Commits

• 18d36e6 chore: release 21.3.1 (#448)
• 96e571a fix: ensure that resolved git ref matches expected sha (#439)
• 91847c4 chore: fix test for ssri ignoring invalid hashes (#447)
• 411ceb6 chore: release 21.3.0 (#446)
• 8f5091d feat: add support for git-256 sha lengths (#445)
• 27cc5e1 chore: release 21.2.0 (#444)
• db21624 feat: implement gitSubdir according to npa spec (#442)
• c2a4217 feat: add allowRemote, allowFile, allowDirectory (#443)
• 7c9469d chore: release 21.1.0 (#441)
• 258e5fd feat: add allowGit option (#440)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for pacote since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[netlify]

❌ Deploy Preview for lando-core failed. Why did it fail? →

Name	Link
🔨 Latest commit	386fd54
🔍 Latest deploy log	https://app.netlify.com/projects/lando-core/deploys/69953aefde2cca0008dae02e