fix(deps): update version overrides

[tk-o]

Lite PR

Summary

• NPM version overrides got updated.

---

Why

• PR addresses security audit issues.

---

Testing

• I ran pnpm i and then examined pnpm-lock.yaml to ensure the right scope of updates.

---

Notes for Reviewer (Optional)

• Anything non-obvious or worth a heads-up.

---

Pre-Review Checklist (Blocking)

• This PR does not introduce significant changes and is low-risk to review quickly.
• Relevant changesets are included (or are not required)

PR Creation Tips

• If this PR introduces significant changes or is higher-risk to review use the "Substantial PR" template instead.
• Changesets should optimize for the narrative of the next autogenerated release notes. Optimize for how the resulting release notes will read to a developer in the ENS Ecosystem. Communicate all ideas with a positive frame.
• The "Require PR Description Checks" GitHub Action will report a failing CI check on non-draft PRs where there are unchecked checkboxes in the description. You should therefore make your PR a draft PR until it is ready for review.

Summary by CodeRabbit

• Chores
  • Updated package dependency version constraints to ensure compatibility and stability.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3253725

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
admin.ensnode.io	Ready	Preview, Comment	Jan 18, 2026 7:44pm
ensnode.io	Ready	Preview, Comment	Jan 18, 2026 7:44pm
ensrainbow.io	Ready	Preview, Comment	Jan 18, 2026 7:44pm

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request adds a new pnpm override for the tar package, pinning versions between 7.5.2 and 7.5.3 in package.json. This is a dependency version constraint modification with no functional code changes.

Changes

Cohort / File(s)	Summary
Dependency Version Override package.json	Added pnpm override for tar package (>=7.5.3, <=7.5.2) alongside existing h3 override

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A nibble of tar, so precise and neat,
Version fences keep packages sweet,
Constraints are set, from seven-point-five,
Dependencies stable and ready to thrive! 🎀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: updating version overrides in package.json to address security audit issues.
Description check	✅ Passed	The PR description follows the required template structure with all key sections completed: Summary, Why, Testing, and Pre-Review Checklist fully filled out.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch deps/fix-sec-audit-issues

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR updates NPM version overrides to address security audit issues by enforcing a minimum version of the tar package.

Changes:

• Added override to force tar package to version 7.5.3 or higher
• Updated pnpm-lock.yaml to reflect the tar upgrade and its transitive dependencies

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Added tar@<=7.5.2: '>=7.5.3' override to enforce secure version
pnpm-lock.yaml	Updated tar from 6.2.1 to 7.5.3 and upgraded related transitive dependencies (chownr, minipass, minizlib, yallist, @isaacs/fs-minipass)

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR adds a pnpm version override for the tar package to enforce minimum version 7.5.3, addressing security vulnerabilities in earlier versions. The change cascades through the lock file, updating tar from 6.2.1 to 7.5.3 and its dependencies (chownr, minipass, minizlib, yallist, and adding @isaacs/fs-minipass) to versions compatible with Node.js 18+.

• Added tar@<=7.5.2: ">=7.5.3" override in package.json line 43
• Updated tar from 6.2.1 to 7.5.3 in lockfile
• Updated transitive dependencies to compatible versions
• Used by @iconify/tools package in the dependency tree

The changes are minimal, focused, and follow the same pattern as other security overrides in the repository.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk - it's a security patch applying version overrides
• The change is a straightforward dependency security update using pnpm overrides, following the same pattern as existing security patches in the repository. The lockfile updates are automated and properly cascade the version bump through transitive dependencies. No application code changes.
• No files require special attention

Important Files Changed

Filename	Overview
package.json	Added tar@<=7.5.2 override to enforce minimum version 7.5.3 for security patch
pnpm-lock.yaml	Updated tar from 6.2.1 to 7.5.3 and its dependencies (chownr, minipass, minizlib, yallist) to compatible versions

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant PM as Package Manager (pnpm)
    participant Reg as npm Registry
    participant Audit as Security Audit

    Dev->>PM: Run pnpm install
    PM->>PM: Read package.json overrides
    PM->>PM: Check tar version requirement (>=7.5.3)
    PM->>Reg: Request [email protected]
    Reg-->>PM: Return [email protected] package
    PM->>Reg: Request updated dependencies
    Note over PM,Reg: [email protected], [email protected]<br/>[email protected], [email protected]<br/>@isaacs/[email protected]
    Reg-->>PM: Return dependency packages
    PM->>PM: Update pnpm-lock.yaml
    PM->>PM: Install packages to node_modules
    PM-->>Dev: Installation complete
    Dev->>Audit: Run security audit
    Audit-->>Dev: No tar vulnerabilities found

Loading