fix: upgrade tar@6 override to 7.5.7 to resolve CVE-2026-23745

[devin-ai-integration]

Description

Resolves Dependabot alert #411 — CVE-2026-23745 (high severity).

node-tar ≤ 7.5.2 is vulnerable to arbitrary file overwrite via hardlink escape and symlink poisoning due to insufficient linkpath sanitization. There is no patched 6.x release; the fix is only available in 7.5.3+.

This PR updates the pnpm override "tar@6": "6.2.1" → "tar@6": "7.5.7", which is a major version jump (6 → 7). The tar@7 override was already at 7.5.7.

Important for reviewers

• tar 7 requires Node ≥ 18 — this repo requires ≥ 20.19.4, so engine constraint is satisfied.
• The lockfile diff removes tar 6's sub-dependencies (chownr@2, fs-minipass@2, minipass@5, minizlib@2, mkdirp@1) since tar 7 uses different internals. This is expected cleanup.
• The two transitive consumers now using tar 7 are cacache (npm/pnpm cache layer) and giget (template downloader). Please verify these are compatible with tar 7's API — tar 7 changed its streaming internals and some option names.

Requested by: @soinclined
Link to Devin run

Test plan

• pnpm install completes without errors
• pnpm lint passes
• pnpm test:vitest — all 11 test tasks pass (48+ tests)
• Verified lockfile no longer contains any tar@6.2.1 resolution — all tar now resolves to 7.5.7
• CI should confirm no regressions

Package updates

No changes to files under packages/, so no changeset is needed. This is a root-level pnpm override change only.

[changeset-bot]

⚠️ No Changeset found

Latest commit: cc80373

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

Original prompt from Penelope

Please use sub-agents to resolve the following dependabots with PRs that don't break anything and can pass all tests. Confirm before starting that you don't have a previous open PR to resolve them.

https://github.com/Crossmint/crossmint-sdk/security/dependabot/411

https://github.com/Paella-Labs/crossbit-main/security/dependabot/656

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR that start with 'DevinAI' or '@devin'.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[github-actions]

🔥 Smoke Test Results

✅ Status: Passed

Statistics

• Total Tests: 5
• Passed: 5 ✅
• Failed: 0
• Skipped: 0
• Duration: 4.70 min

✅ All smoke tests passed!

All critical flows are working correctly.

---

This is a non-blocking smoke test. Full regression tests run separately.

[greptile-apps]

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}