Bump tar from 7.4.3 to 7.5.16

[dependabot]

Bumps tar from 7.4.3 to 7.5.16.

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• cf21338 7.5.16
• 21a8220 do not apply PAX header fields to meta entries
• 52632cf update project deps
• 302f51f fix inconsequential typo in PENDINGLINKS symbol name
• 55dbb99 remove some uses of mutate-fs
• 87cc309 7.5.15
• 7aef486 fix: regression in pending links detection
• 6244eb3 7.5.14
• 9704d8c stricter protection against hardlinks preempting their targets
• 700734f update workflows and deps
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

---

Note

Low Risk
Dependency-only lockfile change with no app code touched; risk is limited to install/runtime behavior of packages that unpack or create tar archives transitively.

Overview
Updates the lockfile so tar resolves to 7.5.16 (from 7.4.3), with minizlib bumped to 3.1.0 as a direct dependency of tar. The nested mkdirp entry under tar is removed because the newer tar release no longer pulls it in that way.

This is a transitive dependency change only—no application source edits. The 7.5.x line adds fixes around absolute link path sanitization, hardlink ordering (targets before links), PAX/meta entry handling, and related archive read/list edge cases, plus optional zstd support in the library itself.

^{Reviewed by Cursor Bugbot for commit e1b1bd0. Bugbot is set up for automated code reviews on this repo. Configure here.}