chore: upgrade tar to ^7.5.16 to address CVE-2026-53655

[linear-code]

Fixes SOU-1362

Refreshes the yarn.lock entry for tar (transitive via node-gyp/cacache) from 7.5.13 to 7.5.16 to address CVE-2026-53655, where node-tar applies a PAX size= override to intermediary GNU long-name/long-link headers, causing a tar parser interpretation differential (file smuggling).

The existing ^7.4.3 range already admitted the patched version, so this is a lockfile-only refresh (yarn up -R tar) with no package.json change.

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2130
Resolved (non-standard)	11
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.11	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (11)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab, MIT) — package @react-grab/cli lives in packages/cli of this monorepo
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab, MIT) — package @react-grab/cli lives in packages/cli of this monorepo
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab, MIT) — same @react-grab scope and npm maintainer (abai/aidenybai) as @react-grab/cli
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo (livebook-dev/codemirror-lang-elixir LICENSE file)
element-source	0.0.3	UNKNOWN	MIT	GitHub repo (aidenybai/element-source, MIT) — npm maintainer abai (aiden.bai05@gmail.com) matches
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo (livebook-dev/lezer-elixir LICENSE file)
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo (dominictarr/map-stream LICENCE file)
memorystream	0.3.1	UNKNOWN	MIT	extracted from object — npm registry licenses field [{"type":"MIT"}]
pause-stream	0.0.11	["MIT","Apache2"]	MIT OR Apache-2.0	extracted from object — license array in package metadata (dual-licensed MIT/Apache-2.0)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo (PostHog/posthog-js LICENSE file — Apache License 2.0)
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo (ogt/valid-url LICENSE file — MIT)