refactor: Bump tar, npm and @mongodb-js/mongodb-downloader

[dependabot]

Bumps tar, npm and @mongodb-js/mongodb-downloader. These dependencies needed to be updated together.
Updates tar from 6.2.1 to 7.5.13

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates npm from 10.9.3 to 10.9.8

Release notes

Sourced from npm's releases.

v10.9.8

Dependencies

• workspace: @npmcli/arborist@8.0.5
• workspace: libnpmdiff@7.0.5
• workspace: libnpmexec@9.0.5
• workspace: libnpmfund@6.0.5
• workspace: libnpmpack@8.0.5

v10.9.7

10.9.7 (2026-03-18)

Bug Fixes

• bbcd455 #9120 arborist: v10 - backport store, lock-only, and override sibling fixes (#9120) (@​manzoorwanijk)

Dependencies

• cc9a4de #9130 hoist production @​sigstore dependencies

Chores

• e5c1309 #9130 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@8.0.4
• workspace: libnpmdiff@7.0.4
• workspace: libnpmexec@9.0.4
• workspace: libnpmfund@6.0.4
• workspace: libnpmpack@8.0.4

v10.9.6

10.9.6 (2026-03-10)

Bug Fixes

• d6fe671 #9098 arborist: v10 - backport multiple fixes for linked install (#9098) (@​manzoorwanijk)

Dependencies

• a5dadad #9067 tar@7.5.11
• 87abb92 #9067 pacote@20.0.1
• c2f0fd2 #9067 pacote@19.0.2
• workspace: @npmcli/arborist@8.0.3
• workspace: libnpmdiff@7.0.3
• workspace: libnpmexec@9.0.3
• workspace: libnpmfund@6.0.3
• workspace: libnpmpack@8.0.3

v10.9.5

10.9.5 (2026-03-04)

Bug Fixes

• 794f6c8 #9011 backport linked strategy fixes from multiple PRs to v10 (#9011) (@​manzoorwanijk)

Dependencies

• 6717032 #9056 tuf-js@3.1.0
• e4e25ea #9056 tinyglobby@0.2.15
• 9464329 #9056 socks@2.8.7
• 23c3e17 #9056 postcss-selector-parser@7.1.1
• 77f9c29 #9056 p-map@7.0.4
• f1a0315 #9056 npm-install-checks@7.1.2
• ad7d3ac #9056 normalize-package-data@7.0.1
• 63a7c82 #9056 node-gyp@11.5.0

... (truncated)

Commits

• dd3c80e chore: release 10.9.8
• 8aa9c82 fix: eagerly require promise-retry to survive self-upgrade
• 58c302d chore: release 10.9.7
• e5c1309 chore: dev dependency updates
• cc9a4de deps: hoist production @​sigstore dependencies
• bbcd455 fix(arborist): v10 - backport store, lock-only, and override sibling fixes (#...
• 49a764e chore: release 10.9.6
• d6fe671 fix(arborist): v10 - backport multiple fixes for linked install (#9098)
• ebd09c3 fix(arborist): backport linked strategy hoisting fixes to v10 (#9084)
• a5dadad deps: tar@7.5.11
• Additional commits viewable in compare view

Updates npm from 11.9.0 to 11.12.1

Release notes

Sourced from npm's releases.

v10.9.8

Dependencies

• workspace: @npmcli/arborist@8.0.5
• workspace: libnpmdiff@7.0.5
• workspace: libnpmexec@9.0.5
• workspace: libnpmfund@6.0.5
• workspace: libnpmpack@8.0.5

v10.9.7

10.9.7 (2026-03-18)

Bug Fixes

• bbcd455 #9120 arborist: v10 - backport store, lock-only, and override sibling fixes (#9120) (@​manzoorwanijk)

Dependencies

• cc9a4de #9130 hoist production @​sigstore dependencies

Chores

• e5c1309 #9130 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@8.0.4
• workspace: libnpmdiff@7.0.4
• workspace: libnpmexec@9.0.4
• workspace: libnpmfund@6.0.4
• workspace: libnpmpack@8.0.4

v10.9.6

10.9.6 (2026-03-10)

Bug Fixes

• d6fe671 #9098 arborist: v10 - backport multiple fixes for linked install (#9098) (@​manzoorwanijk)

Dependencies

• a5dadad #9067 tar@7.5.11
• 87abb92 #9067 pacote@20.0.1
• c2f0fd2 #9067 pacote@19.0.2
• workspace: @npmcli/arborist@8.0.3
• workspace: libnpmdiff@7.0.3
• workspace: libnpmexec@9.0.3
• workspace: libnpmfund@6.0.3
• workspace: libnpmpack@8.0.3

v10.9.5

10.9.5 (2026-03-04)

Bug Fixes

• 794f6c8 #9011 backport linked strategy fixes from multiple PRs to v10 (#9011) (@​manzoorwanijk)

Dependencies

• 6717032 #9056 tuf-js@3.1.0
• e4e25ea #9056 tinyglobby@0.2.15
• 9464329 #9056 socks@2.8.7
• 23c3e17 #9056 postcss-selector-parser@7.1.1
• 77f9c29 #9056 p-map@7.0.4
• f1a0315 #9056 npm-install-checks@7.1.2
• ad7d3ac #9056 normalize-package-data@7.0.1
• 63a7c82 #9056 node-gyp@11.5.0

... (truncated)

Commits

• dd3c80e chore: release 10.9.8
• 8aa9c82 fix: eagerly require promise-retry to survive self-upgrade
• 58c302d chore: release 10.9.7
• e5c1309 chore: dev dependency updates
• cc9a4de deps: hoist production @​sigstore dependencies
• bbcd455 fix(arborist): v10 - backport store, lock-only, and override sibling fixes (#...
• 49a764e chore: release 10.9.6
• d6fe671 fix(arborist): v10 - backport multiple fixes for linked install (#9098)
• ebd09c3 fix(arborist): backport linked strategy hoisting fixes to v10 (#9084)
• a5dadad deps: tar@7.5.11
• Additional commits viewable in compare view

Updates @mongodb-js/mongodb-downloader from 1.1.7 to 1.1.9

Commits

• cd56f7e chore(ci): bump packages
• cb4f99f fix: default condition should be last one (#629)
• 2d1269d chore(ci): bump packages
• 31173a2 fix(mongodb-server-log-checker): ignore warnings from internal clients (#627)
• b85e3f1 chore(ci): bump packages
• 061e7c3 feat(mongodb-server-log-checker): add package (#624)
• 63b1749 chore(ci): bump packages
• 18cc55e chore(mongodb-downloader): bump tar VSCODE-753 (#625)
• fabfa55 chore(ci): bump packages
• 40879b8 fix(mongodb-runner): configsvr must always use 127.0.0.1 DRIVERS-3335 (#620)
• Additional commits viewable in compare view

Summary by CodeRabbit

• Chores
  • Updated package dependencies and their transitive dependencies to ensure consistency and resolve version constraints across the dependency graph.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated package-lock.json to bump transitive package versions across multiple dependencies, including @mongodb-js/mongodb-downloader, mongodb-download-url, and npm bundles within @semantic-release/npm and top-level npm. Restructured nested dependency trees with integrity hash updates and removed/replaced several nested modules.

Changes

Cohort / File(s)	Summary
Dependency Version Updates package-lock.json	Added @isaacs/fs-minipass v4.0.1; upgraded @semantic-release/npm's bundled npm (11.9.0→11.12.1); upgraded top-level npm (10.9.3→10.9.8); bumped transitive dependencies including @mongodb-js/mongodb-downloader, mongodb-download-url, tar, minizlib, chownr, and others with corresponding integrity hash updates. Removed and replaced nested modules in bundled npm dependency trees.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• refactor: Bump brace-expansion from 1.1.12 to 1.1.13 #3279: Updates brace-expansion dependency versions in package-lock.json, sharing the same transitive dependency upgrade pattern.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is comprehensive but does not follow the provided template structure, missing the Issue, Approach, and Tasks sections required by the repository.	Restructure the description to include the required template sections: Issue (link to related issue if applicable), Approach (summary of changes), and Tasks (checklist for tests and documentation updates).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly summarizes the main change: bumping three key development dependencies (tar, npm, and @mongodb-js/mongodb-downloader), which matches the primary focus of the changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/multi-a609175bb9

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

🎉 This change has been released in version 9.1.0-alpha.12

[parseplatformorg]

🎉 This change has been released in version 9.1.0