fix(deps): bump tar to 7.5.7 to fix CVE-2026-24842 #COMW-122

[lukaszjaskowski]

Motivation

Dependabot reported a high-severity vulnerability in the tar package (GHSA-34x7-hfp2-rc4v / CVE-2026-24842). The project uses tar@6.2.1 transitively via cacache and node-gyp. Instead of overriding tar directly, we upgrade node-gyp to a version that officially depends on tar 7.x, so the fix comes from the dependency chain rather than a resolution override.

Intended outcome

• Resolve the tar vulnerability (GHSA-34x7-hfp2-rc4v / CVE-2026-24842)
• Use node-gyp 12.x, which depends on tar ^7.5.4, instead of overriding tar
• Keep build and test flows working

Overview of changes

• package.json: Added "node-gyp": "12.2.0" under resolutions (instead of a tar override)
• yarn.lock: Updated dependency chain:
  • node-gyp 10.2.0 → 12.2.0 (uses tar ^7.5.4)
  • make-fetch-happen 13.0.1 → 15.0.3 (uses cacache 20)
  • cacache 18.0.4 → 20.0.3 (no longer depends on tar)
  • tar 6.2.1 → 7.5.7 (via node-gyp’s declared dependency)

Quality assurance

• yarn install — passes
• yarn test — passes
• yarn prepare (bob build) — passes
• yarn typecheck — passes

Risk assessment: Low. node-gyp 12.x is the current release and officially supports tar 7.x. cacache 20 no longer uses tar. No SDK release is required; the change only affects the development/build environment.

[github-actions]

	Messages
📖	Jira issue(s) related to this PR: 🔗 Address node-tar vulnerability by updating package resolution [#COMW-122]

Generated by 🚫 dangerJS against 439bd9d