Bump tar and lerna

[dependabot]

Bumps tar to 7.5.8 and updates ancestor dependency lerna. These dependencies need to be updated together.

Updates tar from 7.5.2 to 7.5.8

Commits

• 6b8eba0 7.5.8
• 2cb1120 fix(unpack): improve UnpackSync symlink error "into" path accuracy
• d18e4e1 fix: do not write linkpaths through symlinks
• 4a37eb9 7.5.7
• f4a7aa9 fix: properly sanitize hard links containing ..
• 394ece6 7.5.6
• 7d4cc17 fix race puting a Link ahead of its target File
• 26ab904 7.5.5
• e9a1ddb fix: do not prevent valid linkpaths within archive
• 911c886 7.5.4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates lerna from 9.0.3 to 9.0.5

Release notes

Sourced from lerna's releases.

v9.0.5

9.0.5 (2026-02-28)

Bug Fixes

• bump minimatch from 3.0.5 to 3.1.4 (#4285) (2e3f99e)
• bump tar from 7.5.7 to 7.5.8 (#4273) (bdffd1d)

v9.0.4

9.0.4 (2026-02-10)

Bug Fixes

• bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267) (43e3d46)

Changelog

Sourced from lerna's changelog.

9.0.5 (2026-02-28)

Bug Fixes

• bump minimatch from 3.0.5 to 3.1.4 (#4285) (2e3f99e)
• bump tar from 7.5.7 to 7.5.8 (#4273) (bdffd1d)

9.0.4 (2026-02-10)

Bug Fixes

• bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267) (43e3d46)

Commits

• 85b9d95 chore(misc): publish 9.0.5
• 2e3f99e fix: bump minimatch from 3.0.5 to 3.1.4 (#4285)
• bdffd1d fix: bump tar from 7.5.7 to 7.5.8 (#4273)
• 5f3669c chore(misc): publish 9.0.4
• 43e3d46 fix: bump tar to 7.5.7, rimraf to 6.1.2, @​npmcli/run-script to 10.0.3 (#4267)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Medium Risk
Large package-lock.json churn updates build/release tooling (lerna, tar, nx, node-gyp, sigstore, etc.), which can affect install/build behavior and CI even though no app code changes.

Overview
Updates dependency lockfile to pick up lerna 9.0.5 (and related tooling like @nx/devkit/nx) and bumps tar to 7.5.8.

This refreshes a wide set of transitive packages (notably node-gyp, pacote, sigstore/tuf-js, minimatch/brace-expansion, and axios), and adjusts some lockfile metadata (peer/dev flags and optional deps) as part of the upgrade.

^{Written by Cursor Bugbot for commit 8c2f8e6. This will update automatically on new commits. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
web3auth-web	Ready	Preview, Comment	Feb 28, 2026 9:41pm