deps: update tar to 7.5.2 to fix CVE-2025-64118

[soinclined]

Description

This PR updates the tar package from version 7.5.1 to 7.5.2 to address security vulnerability CVE-2025-64118, which was flagged by Dependabot alert #371.

The vulnerability involves a race condition in tar.list() with sync: true that could lead to uninitialized memory exposure if a tar file is truncated while being read. While the conditions for exploitation are specific (requires sync mode, attacker-controlled file truncation, and processing of entry contents), updating to the patched version eliminates the risk entirely.

The fix was implemented using pnpm's overrides feature to force all transitive dependencies to use tar@7.5.2, ensuring minimal changes to the dependency tree. As a bonus, this also cleaned up an old unused tar@6.2.1 dependency and its related packages.

Test plan

• ✅ All library builds pass (pnpm build:libs)
• ✅ All unit tests pass (pnpm test:vitest - 48 tests across 15 suites)
• ✅ Lint checks pass (pnpm lint)
• ✅ Verified tar@7.5.2 is the only tar version in pnpm-lock.yaml
• ⏳ CI checks pending (will verify on PR)

Package updates

This is a security patch for a transitive dependency. No changeset is required as this doesn't affect the public API of any published packages.

---

Link to Devin run: https://app.devin.ai/sessions/ed69d15ffcf0484dac24e49393cfc641
Requested by: Penelope (@soinclined)

Review checklist:

• Verify Dependabot alert Bumping @crossmint/common-sdk-base to 1.1.6 #371 is resolved after merge
• Confirm CI passes (especially any integration tests)
• Check that only tar@7.5.2 appears in the lockfile (no 7.5.1 remaining)

[devin-ai-integration]

Original prompt from Penelope

https://github.com/Crossmint/crossmint-sdk/security/dependabot/371 

please create a PR that does what this dependabot cannot, confirm it doesn't break anything and changes as little as possible, and then share hte PR with me to review 

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[changeset-bot]

⚠️ No Changeset found

Latest commit: 03cdad5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
smart-wallet-auth-demo	Ignored			Nov 13, 2025 1:50am