refactor: Bump tar and npm

[dependabot]

Removes tar. It's no longer used after updating ancestor dependency npm. These dependencies need to be updated together.

Removes tar

Updates npm from 11.7.0 to 11.11.1

Release notes

Sourced from npm's releases.

v11.11.1

11.11.1 (2026-03-10)

Bug Fixes

• a9d242b #9099 include all subcommands on main command help (#9099) (@​wraithgar)
• 29b8407 #9087 unwrap comments and lines meant for output (#9087) (@​wraithgar)
• b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@​manzoorwanijk)
• 76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@​wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@​manzoorwanijk)
• 6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@​Jadu07)

Documentation

• 3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@​mohd-akram)
• 16ac4e0 #9054 fix workspace cross-dependency documentation (@​owlstronaut)

Dependencies

• 075ae23 #9086 tar@7.5.11
• 13fa40d #9086 pacote@21.5.0
• bf7ea2b #9060 brace-expansion@5.0.4
• 2000d2c #9060 minimatch@10.2.4
• d86b260 #9060 tar@7.5.10
• dff1853 #9060 @npmcli/run-script@10.0.4
• 93c3365 #9060 write-file-atomic@7.0.1

Chores

• d1996a7 #9060 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.4.1
• workspace: libnpmdiff@8.1.4
• workspace: libnpmexec@10.2.4
• workspace: libnpmfund@7.0.18
• workspace: libnpmpack@9.1.4

v11.11.0

11.11.0 (2026-02-25)

Features

• 4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@​wraithgar)
• e1b21f0 #8909 adds circleci to trust command (#8909) (@​owlstronaut)
• 9a33ad0 #8925 adds circleci to oidc (#8925) (@​owlstronaut)

Bug Fixes

• 4426411 #9026 npm audit signatures for keyless attestation registries (#9026) (@​ajayk)
• 658b323 #9010 handle legacy licenses array in sbom output (#9010) (@​JNC4)

Documentation

• 143f8cd #9007 docs shouldn't wrap yaml description (#9007) (@​owlstronaut)

Dependencies

• 7798b6e #9027 @gar/promise-retry@1.0.2
• 4838864 #9027 balanced-match@4.0.4
• 0c200dd #9027 brace-expansion@5.0.3
• f0606bb #9027 spdx-license-ids@3.0.23
• d43f350 #9027 make-fetch-happen@15.0.4
• 4d0918a #9027 @npmcli/git@7.0.2
• 8912ca7 #9027 minipass-fetch@5.0.2
• 450ff35 #9027 npm-packlist@10.0.4
• 20ef5a5 #9027 pacote@21.4.0
• 60f332c #9008 remove promise-retry

... (truncated)

Changelog

Sourced from npm's changelog.

11.11.1 (2026-03-10)

Bug Fixes

• a9d242b #9099 include all subcommands on main command help (#9099) (@​wraithgar)
• 29b8407 #9087 unwrap comments and lines meant for output (#9087) (@​wraithgar)
• b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@​manzoorwanijk)
• 76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@​wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@​manzoorwanijk)
• 6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@​Jadu07)

Documentation

• 3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@​mohd-akram)
• 16ac4e0 #9054 fix workspace cross-dependency documentation (@​owlstronaut)

Dependencies

• 075ae23 #9086 tar@7.5.11
• 13fa40d #9086 pacote@21.5.0
• bf7ea2b #9060 brace-expansion@5.0.4
• 2000d2c #9060 minimatch@10.2.4
• d86b260 #9060 tar@7.5.10
• dff1853 #9060 @npmcli/run-script@10.0.4
• 93c3365 #9060 write-file-atomic@7.0.1

Chores

• d1996a7 #9060 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@9.4.1
• workspace: libnpmdiff@8.1.4
• workspace: libnpmexec@10.2.4
• workspace: libnpmfund@7.0.18
• workspace: libnpmpack@9.1.4

11.11.0 (2026-02-25)

Features

• 4fcd352 #9017 add :type(registry) to query selector syntax (#9017) (@​wraithgar)
• e1b21f0 #8909 adds circleci to trust command (#8909) (@​owlstronaut)
• 9a33ad0 #8925 adds circleci to oidc (#8925) (@​owlstronaut)

Bug Fixes

• 4426411 #9026 npm audit signatures for keyless attestation registries (#9026) (@​ajayk)
• 658b323 #9010 handle legacy licenses array in sbom output (#9010) (@​JNC4)

Documentation

• 143f8cd #9007 docs shouldn't wrap yaml description (#9007) (@​owlstronaut)

Dependencies

• 7798b6e #9027 @gar/promise-retry@1.0.2
• 4838864 #9027 balanced-match@4.0.4
• 0c200dd #9027 brace-expansion@5.0.3
• f0606bb #9027 spdx-license-ids@3.0.23
• d43f350 #9027 make-fetch-happen@15.0.4
• 4d0918a #9027 @npmcli/git@7.0.2
• 8912ca7 #9027 minipass-fetch@5.0.2
• 450ff35 #9027 npm-packlist@10.0.4
• 20ef5a5 #9027 pacote@21.4.0
• 60f332c #9008 remove promise-retry
• cb8b9c7 #9008 add @gar/promise-retry@1.0.0
• workspace: @npmcli/arborist@9.4.0

... (truncated)

Commits

• 8afa3bd chore: release 11.11.1
• a9d242b fix: include all subcommands on main command help (#9099)
• 5b7c0cc fix(arborist): exclude store nodes from :root > * in linked strategy (#9096)
• 3b70a9d fix(arborist): simplify rootDeclaredDeps initialization (#9097)
• 29b8407 fix: unwrap comments and lines meant for output (#9087)
• b56986a fix(ls): suppress false UNMET DEPENDENCYs in linked strategy (#9095)
• c7702d0 fix(arborist): fix non-idempotent linked install with workspace projects (#9094)
• 075ae23 deps: tar@7.5.11
• 13fa40d deps: pacote@21.5.0
• 76c76e5 fix(ci): don't error on optional deps in the lockfile (#9083)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by CodeRabbit

• Chores
  • Updated npm to version 11.12.1 and refreshed bundled dependencies to the latest available versions for improved stability and compatibility.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated npm from version 11.7.0 to 11.12.1 in the package lock file, including bumping numerous npm CLI and dependency packages (e.g., @npmcli/arborist, pacote, tar, semver) to newer versions while restructuring nested bundled dependencies.

Changes

Cohort / File(s)	Summary
Dependency Lock File package-lock.json	Updated npm from 11.7.0 to 11.12.1; bumped multiple npm CLI (@npmcli/*) and core dependencies (pacote, tar, semver, glob, minimatch, etc.) to patch and minor versions; removed bundled entries (@isaacs/balanced-match, @isaacs/brace-expansion, some @sigstore/@tufjs sub-packages) and added @gar/promise-retry; restructured nested bundled dependency graph.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description provides clear context about the changes but does not follow the repository's required PR template structure.	Update the description to follow the template: add required checklist items, properly formatted Issue Description, Approach section, and TODOs sections instead of Dependabot's auto-generated format.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: bumping the npm dependency version and removing the tar dependency.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/multi-cc382f683c

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mtrezza]

@dependabot rebase

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package-lock.json`:
- Around line 2751-2753: The package-lock.json shows "version": "11.12.1" while
the PR text claims npm was updated to 11.11.1; fix by making the declared
version consistent: either update the PR description and any changelog to state
11.12.1, or roll the lockfile back/regenerate it to 11.11.1 so it matches the PR
intent. Inspect the "version" field in package-lock.json and any npm-version
mentions in package.json or release notes and update them all to the single
correct version, then regenerate the lockfile (npm install) if you change
package.json to ensure consistency before pushing.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 76bd4842-a59c-4511-91fb-8904d8d935d2

📥 Commits

Reviewing files that changed from the base of the PR and between 4366293 and ca12ed2.

📒 Files selected for processing (1)

• package-lock.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Version inconsistency between PR description and actual code.

The PR description states that npm is being updated to version 11.11.1, but the actual version in the lockfile is 11.12.1. This is likely a minor documentation issue where either the PR description wasn't updated after a subsequent version bump, or the version was updated after the PR was created.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package-lock.json` around lines 2751 - 2753, The package-lock.json shows
"version": "11.12.1" while the PR text claims npm was updated to 11.11.1; fix by
making the declared version consistent: either update the PR description and any
changelog to state 11.12.1, or roll the lockfile back/regenerate it to 11.11.1
so it matches the PR intent. Inspect the "version" field in package-lock.json
and any npm-version mentions in package.json or release notes and update them
all to the single correct version, then regenerate the lockfile (npm install) if
you change package.json to ensure consistency before pushing.

Version mismatch is a cosmetic Dependabot PR description artifact; the actual lock file correctly shows npm 11.12.1. No code fix needed.