refactor: Bump tar, npm and @mongodb-js/mongodb-downloader

[dependabot]

Bumps tar, npm and @mongodb-js/mongodb-downloader. These dependencies needed to be updated together.
Updates tar from 7.5.1 to 7.5.13

Commits

• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates npm from 11.6.2 to 11.12.1

Release notes

Sourced from npm's releases.

v11.12.1

11.12.1 (2026-03-24)

Bug Fixes

• 596706a #9148 revert prefer-offline/prefer-online exclusivity (#9129) (@​owlstronaut)

Documentation

• d1ee8a5 #9140 Add note on relative path prefix for npm publish (#9140) (@​pydsigner)

Dependencies

• workspace: @npmcli/config@10.8.1

v11.12.0

11.12.0 (2026-03-18)

Features

• 8eff5fb #9049 audit: add --include-attestations flag to output sigstore bundles (#9049) (@​mitchdenny)

Bug Fixes

• 03af94d #9123 skip synopsis code block when command has no usage (@​owlstronaut)
• 21ea382 #9110 arborist: resolve sibling override sets via common ancestor (#9110) (@​manzoorwanijk)

Dependencies

• 03f4c3a #9131 @sigstore/tuf@4.0.2
• 4d5f7d9 #9131 @gar/promise-retry@1.0.3
• 8dcfe69 #9131 @sigstore/sign@4.1.1
• e5a7e22 #9127 lru-cache@11.2.7
• 82deab6 #9127 make-fetch-happen@15.0.5
• ce195dc #9127 cacache@20.0.4

Chores

• 95fa7f4 #9132 fix docs test snapshot (#9132) (@​wraithgar)
• 7e9d538 #9127 dev dependency updates (@​wraithgar)
• 920e5ed #9127 test snapshots (@​wraithgar)
• 98ccf92 #9125 fix snap tests (@​owlstronaut)
• workspace: @npmcli/arborist@9.4.2
• workspace: @npmcli/config@10.8.0
• workspace: libnpmdiff@8.1.5
• workspace: libnpmexec@10.2.5
• workspace: libnpmfund@7.0.19
• workspace: libnpmpack@9.1.5

v11.11.1

11.11.1 (2026-03-10)

Bug Fixes

• a9d242b #9099 include all subcommands on main command help (#9099) (@​wraithgar)
• 29b8407 #9087 unwrap comments and lines meant for output (#9087) (@​wraithgar)
• b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@​manzoorwanijk)
• 76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@​wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@​manzoorwanijk)
• 6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@​Jadu07)

Documentation

• 3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@​mohd-akram)
• 16ac4e0 #9054 fix workspace cross-dependency documentation (@​owlstronaut)

... (truncated)

Changelog

Sourced from npm's changelog.

11.12.1 (2026-03-24)

Bug Fixes

• 596706a #9148 revert prefer-offline/prefer-online exclusivity (#9129) (@​owlstronaut)

Documentation

• d1ee8a5 #9140 Add note on relative path prefix for npm publish (#9140) (@​pydsigner)

Dependencies

• workspace: @npmcli/config@10.8.1

11.12.0 (2026-03-18)

Features

• 8eff5fb #9049 audit: add --include-attestations flag to output sigstore bundles (#9049) (@​mitchdenny)

Bug Fixes

• 03af94d #9123 skip synopsis code block when command has no usage (@​owlstronaut)
• 21ea382 #9110 arborist: resolve sibling override sets via common ancestor (#9110) (@​manzoorwanijk)

Dependencies

• 03f4c3a #9131 @sigstore/tuf@4.0.2
• 4d5f7d9 #9131 @gar/promise-retry@1.0.3
• 8dcfe69 #9131 @sigstore/sign@4.1.1
• e5a7e22 #9127 lru-cache@11.2.7
• 82deab6 #9127 make-fetch-happen@15.0.5
• ce195dc #9127 cacache@20.0.4

Chores

• 95fa7f4 #9132 fix docs test snapshot (#9132) (@​wraithgar)
• 7e9d538 #9127 dev dependency updates (@​wraithgar)
• 920e5ed #9127 test snapshots (@​wraithgar)
• 98ccf92 #9125 fix snap tests (@​owlstronaut)
• workspace: @npmcli/arborist@9.4.2
• workspace: @npmcli/config@10.8.0
• workspace: libnpmdiff@8.1.5
• workspace: libnpmexec@10.2.5
• workspace: libnpmfund@7.0.19
• workspace: libnpmpack@9.1.5

11.11.1 (2026-03-10)

Bug Fixes

• a9d242b #9099 include all subcommands on main command help (#9099) (@​wraithgar)
• 29b8407 #9087 unwrap comments and lines meant for output (#9087) (@​wraithgar)
• b56986a #9095 ls: suppress false UNMET DEPENDENCYs in linked strategy (#9095) (@​manzoorwanijk)
• 76c76e5 #9083 ci: don't error on optional deps in the lockfile (#9083) (@​wraithgar)
• a29aeee #9028 arborist: retry bin-links on Windows EPERM (#9028) (@​manzoorwanijk)
• 6565eeb #9045 bypass packument cache to prevent ETARGET errors after publish (#9045) (@​Jadu07)

Documentation

• 3b96929 #9074 scripts: remove mention of obsolete root user behavior (#9074) (@​mohd-akram)
• 16ac4e0 #9054 fix workspace cross-dependency documentation (@​owlstronaut)

Dependencies

• 075ae23 #9086 tar@7.5.11
• 13fa40d #9086 pacote@21.5.0

... (truncated)

Commits

• 63b9a7c chore: release 11.12.1
• 596706a fix: revert prefer-offline/prefer-online exclusivity (#9129)
• d1ee8a5 docs: Add note on relative path prefix for npm publish (#9140)
• 1afa738 chore: release 11.12.0
• 95fa7f4 chore: fix docs test snapshot (#9132)
• 03f4c3a deps: @​sigstore/tuf@​4.0.2
• 4d5f7d9 deps: @​gar/promise-retry@​1.0.3
• 8dcfe69 deps: @​sigstore/sign@​4.1.1
• d273380 fix(config): make prefer-offline and prefer-online exclusive (#9129)
• 7e9d538 chore: dev dependency updates
• Additional commits viewable in compare view

Updates @mongodb-js/mongodb-downloader from 1.1.7 to 1.1.9

Commits

• cd56f7e chore(ci): bump packages
• cb4f99f fix: default condition should be last one (#629)
• 2d1269d chore(ci): bump packages
• 31173a2 fix(mongodb-server-log-checker): ignore warnings from internal clients (#627)
• b85e3f1 chore(ci): bump packages
• 061e7c3 feat(mongodb-server-log-checker): add package (#624)
• 63b1749 chore(ci): bump packages
• 18cc55e chore(mongodb-downloader): bump tar VSCODE-753 (#625)
• fabfa55 chore(ci): bump packages
• 40879b8 fix(mongodb-runner): configsvr must always use 127.0.0.1 DRIVERS-3335 (#620)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.