fix: CVE-2026-23745 - update tar to ^7.5.3

[jonshilton]

Summary

This PR resolves CVE-2026-23745 - Arbitrary File Overwrite and Symlink Poisoning in the tar package.

Vulnerability Details

• CVE: CVE-2026-23745
• Affected versions: <= 7.5.2

Changes

• Updated package.json to resolve tar@^7.5.3
• The vulnerable tar is no longer in the dependency tree

Linear Issue

https://linear.app/multiverse-io/issue/SQD-1052/cve-2026-23745-node-tar-is-vulnerable-to-arbitrary-file-overwrite-and

---

Note

Low Risk
Dependency-only change to pin tar to a patched major version; main risk is build/runtime incompatibility if any tooling depended on tar@6 behavior.

Overview
Pins the transitive dependency tar to ^7.5.3 via package.json resolutions to address the reported CVE.

Updates yarn.lock to pull in tar@7.5.7 and its new dependency set (@isaacs/fs-minipass, chownr@3, minizlib@3, minipass@7, yallist@5), removing the previously locked tar@6 stack.

^{Written by Cursor Bugbot for commit 2c78115. Configure here.}

[linear]

SQD-1052 CVE-2026-23745: node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization

[tony]

@jonshilton LGTM, thanks for using resolutions 🙏

Demo

yarn start

yarn ts:build

Actually it's yarn run ts:build && yan ckeditor5-package-tools export-package-as-javascript

ckeditor5-math on  fix/sqd-1052-cve-2026-23745 ❯ yarn run ts:build && yarn ckeditor5-package-tools export-package-as-javascript
yarn run v1.22.22
warning ../../../package.json: No license field
$ tsc -p ./tsconfig.release.json
✨  Done in 0.58s.
yarn run v1.22.22
warning ../../../package.json: No license field
$ /Users/tony.narlock/work/multiverse/ckeditor5-math/node_modules/.bin/ckeditor5-package-tools export-package-as-javascript
✨  Done in 0.47s.

Looks good