From 08e6d724ff59f084638f017e5655d74419afefaf Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Thu, 29 Jan 2026 07:40:04 +0000
Subject: [PATCH 1/2] fix: deps/npm/package.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-TAR-15038581
- https://snyk.io/vuln/SNYK-JS-TAR-15032660
- https://snyk.io/vuln/SNYK-JS-TAR-15127355
---
 deps/npm/package.json | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/deps/npm/package.json b/deps/npm/package.json
index afd3b36cb08f7b..ae6c31b021df62 100644
--- a/deps/npm/package.json
+++ b/deps/npm/package.json
@@ -42,16 +42,16 @@
     "./package.json": "./package.json"
   },
   "dependencies": {
-    "@npmcli/arborist": "^2.2.8",
+    "@npmcli/arborist": "^9.0.0",
     "@npmcli/ci-detect": "^1.2.0",
     "@npmcli/config": "^1.2.9",
-    "@npmcli/run-script": "^1.8.3",
+    "@npmcli/run-script": "^9.0.2",
     "abbrev": "~1.1.1",
     "ansicolors": "~0.3.2",
     "ansistyles": "~0.1.3",
     "archy": "~1.0.0",
     "byte-size": "^7.0.1",
-    "cacache": "^15.0.5",
+    "cacache": "^19.0.0",
     "chalk": "^4.1.0",
     "chownr": "^2.0.0",
     "cli-columns": "^3.1.2",
@@ -65,33 +65,33 @@
     "is-cidr": "^4.0.2",
     "json-parse-even-better-errors": "^2.3.1",
     "leven": "^3.1.0",
-    "libnpmaccess": "^4.0.1",
-    "libnpmdiff": "^2.0.4",
-    "libnpmfund": "^1.0.2",
-    "libnpmhook": "^6.0.1",
-    "libnpmorg": "^2.0.1",
-    "libnpmpack": "^2.0.1",
-    "libnpmpublish": "^4.0.0",
-    "libnpmsearch": "^3.1.0",
-    "libnpmteam": "^2.0.2",
-    "libnpmversion": "^1.0.11",
-    "make-fetch-happen": "^8.0.14",
+    "libnpmaccess": "^9.0.0",
+    "libnpmdiff": "^8.0.8",
+    "libnpmfund": "^7.0.0",
+    "libnpmhook": "^11.0.0",
+    "libnpmorg": "^7.0.0",
+    "libnpmpack": "^9.0.0",
+    "libnpmpublish": "^10.0.0",
+    "libnpmsearch": "^8.0.0",
+    "libnpmteam": "^7.0.0",
+    "libnpmversion": "^7.0.0",
+    "make-fetch-happen": "^14.0.1",
     "minipass": "^3.1.3",
     "minipass-pipeline": "^1.2.4",
     "mkdirp": "^1.0.4",
     "mkdirp-infer-owner": "^2.0.0",
     "ms": "^2.1.2",
-    "node-gyp": "^7.1.2",
+    "node-gyp": "^11.0.0",
     "nopt": "^5.0.0",
     "npm-audit-report": "^2.1.4",
     "npm-package-arg": "^8.1.1",
     "npm-pick-manifest": "^6.1.0",
-    "npm-profile": "^5.0.2",
-    "npm-registry-fetch": "^9.0.0",
+    "npm-profile": "^11.0.1",
+    "npm-registry-fetch": "^18.0.1",
     "npm-user-validate": "^1.0.1",
     "npmlog": "~4.1.2",
     "opener": "^1.5.2",
-    "pacote": "^11.3.0",
+    "pacote": "^21.0.1",
     "parse-conflict-json": "^1.1.1",
     "qrcode-terminal": "^0.12.0",
     "read": "~1.0.7",
@@ -101,7 +101,7 @@
     "rimraf": "^3.0.2",
     "semver": "^7.3.4",
     "ssri": "^8.0.1",
-    "tar": "^6.1.0",
+    "tar": "^7.5.7",
     "text-table": "~0.2.0",
     "tiny-relative-date": "^1.3.0",
     "treeverse": "^1.0.4",

From a7b880dcfc62e16902bc7fb6b1cd988715bdaec4 Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Fri, 30 Jan 2026 11:22:44 +0000
Subject: [PATCH 2/2] fix: deps/npm/package.json to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-TAR-15038581
- https://snyk.io/vuln/SNYK-JS-TAR-15032660
- https://snyk.io/vuln/SNYK-JS-TAR-15127355