fix(deps): bump tar override to 7.5.10 (GHSA-qffp-2rhf-9h96)

[Copilot]

Dependabot alert #27: tar ≤ 7.5.9 allows hardlink path traversal via drive-relative linkpaths, enabling arbitrary file writes outside the extraction root (high severity, CVE-2026-29786).

Change

- "tar": "7.5.9",
+ "tar": "7.5.10",

Bumps the pnpm.overrides pin for tar from the vulnerable 7.5.9 to the patched 7.5.10. Lockfile updated accordingly.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Daily Maintenance Report</issue_title>
<issue_description>## 2026-03-07 (UTC)

Summary Metrics

Metric	Value
New issues (since last run)	0
Open PRs	0
Stale issues (>30 days)	0
Stale PRs (>7 days)	0
Main branch checks	✅ Build, Test, Lint, Setup, Analyze, Scorecard, Release: all success (2026-03-07); Fro Bot: 🔄 in progress (this run)
Security alerts (Dependabot)	1 open — high severity

Stale Issues (no activity >30 days)

No stale issues. 2 open issues (#252, #2); both active within the last 2 days.

Stale PRs (no activity >7 days / >14 days)

No open PRs.

Unassigned Bugs

No open issues with the bug label.

Recommended Actions

• Address open Dependabot alert #27: tar Hardlink Path Traversal via Drive-Relative Linkpath (high severity, opened 2026-03-06 — unresolved for 2 days)

Notes

• #200 (Issue Triage Summary - February 2026) closed since last run ✅
• Main branch CI fully healthy: Build ✅ Test ✅ Lint ✅ Setup ✅ Analyze ✅ Scorecard ✅ Release ✅ (all 2026-03-07)
• Dependabot alert #27: tar Hardlink Path Traversal — still open (high severity, day 2)
• Dependency Dashboard #2 updated today (Renovate active)

---

2026-03-06 (UTC)

Summary Metrics

Metric	Value
New issues (since last run)	0
Open PRs	0
Stale issues (>30 days)	0
Stale PRs (>7 days)	0
Main branch checks	✅ Update Repo Settings: success (2026-03-06); Fro Bot: ✅ success (2026-03-05); 🔄 this run in progress
Security alerts (Dependabot)	★ 1 open — high severity

Stale Issues (no activity >30 days)

No stale issues. 3 open issues (#252, #200, #2); #200 last active 2026-02-16 (18 days — 12 days from stale threshold).

Stale PRs (no activity >7 days / >14 days)

No open PRs.

Unassigned Bugs

No open issues with the bug label.

Recommended Actions

• ★ Address new Dependabot alert #27: tar Hardlink Path Traversal via Drive-Relative Linkpath (high severity, opened 2026-03-06)
• Triage #200: Issue Triage Summary - February 2026 (last activity 2026-02-16; 12 days from stale threshold)

Notes

• No new issues or PRs since last run (2026-03-05)
• ★ New Dependabot alert #27: tar Hardlink Path Traversal via Drive-Relative Linkpath (high severity)
• Dependency Dashboard #2 updated today (Renovate active)
• Main branch CI: Update Repo Settings ✅ (2026-03-06); no code push CI since 2026-03-03

---

2026-03-05 (UTC)

Summary Metrics

Metric	Value
New issues (since last run)	0
Open PRs	0
Stale issues (>30 days)	0
Stale PRs (>7 days)	0
Main branch checks	✅ Update Repo Settings: success (2026-03-05); CodeQL: success (2026-03-04); Fro Bot: 🔄 in progress (this run); prior CI suite (Analyze, Test, Lint, Scorecard, Release) last seen ✅ 2026-03-03
Security alerts (Dependabot)	0 open

Stale Issues (no activity >30 days)

No stale issues. 3 open issues (#252, #200, #2); #200 last active 2026-02-16 (17 days — approaching 30-day threshold).

Stale PRs (no activity >7 days / >14 days)

No open PRs.

Unassigned Bugs

No open issues with the bug label.

Recommended Actions

• Triage #200: Issue Triage Summary - February 2026 (last activity 2026-02-16; candidate for closure — 13 days from stale threshold)

Notes

• No new issues or PRs since last run (2026-03-04)
• Dependency Dashboard #2 updated today (Renovate active)
• 0 Dependabot security alerts — all resolved (since 2026-03-03)
• Main branch CI healthy; CodeQL success 2026-03-04; no new code pushes to main since 2026-03-03

---

2026-03-04 (UTC)

Summary Metrics

Metric	Value
New issues (since last run)	0
Open PRs	0
Stale issues (>30 days)	0
Stale PRs (>7 days)	0
Main branch checks	✅ Analyze: success; Update Repo Settings: success; Score...

Custom agent used: Fro Bot
Autonomous implementation agent for the fro-bot/agent GitHub Action. Handles features, fixes, and maintenance across a 13k-line TypeScript ESM codebase with strict TDD, committed dist/, and SDK lifecycle patterns. Select this agent for any code change to this repository.

• Fixes Daily Maintenance Report #252

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.