Dependency update request: resolve tar advisories by upgrading node-pre-gyp/node-gyp #63
Description
Summary
package-lock.json currently resolves tar@6.2.1 via:
@mapbox/node-pre-gyp@1.0.11 -> tar@^6.1.11node-gyp@10.3.1 -> tar@^6.2.1
This leaves the repo with open tar advisories such as hardlink/symlink escape issues (e.g. GHSA-83g3-92jg-28cx).
Why this matters
Dependabot cannot auto-resolve these advisories in the current dependency graph, because both paths are constrained to tar@6.x.
Proposed direction
- Update
@mapbox/node-pre-gypto^2.0.3(usestar@^7.4.0) - Update
node-gypto^11.5.0(usestar@^7.4.3)
I prepared a PR for this update.
Compatibility note
This likely raises effective install-time Node requirements (because @mapbox/node-pre-gyp@2.x requires Node >=18).
If maintaining Node 10/12/14/16 compatibility is still required, please advise on preferred strategy (major release, conditional path, or alternative tooling).