Fix CVE-2026-31802 by updating tar to patched versions

[sbouchet]

What does this PR do?

This PR fixes GHSA-9ppj-qmqm-q256: Symlink Path Traversal via Drive-Relative Linkpath

tar version is updated to 7.5.11

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-10346

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

• Chores
  • Updated development dependencies to maintain security and stability of the build environment.

[github-actions]

Click here to review and test in web IDE:

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-661-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-661-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-661-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-661-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-661-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-661-dev-amd64

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dd7da7b0-a527-4ce4-9602-0c8307575a6b

📥 Commits

Reviewing files that changed from the base of the PR and between c96b390 and b13f694.

⛔ Files ignored due to path filters (2)

• code/build/npm/gyp/package-lock.json is excluded by !**/package-lock.json
• code/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (5)

• .rebase/CHANGELOG.md
• .rebase/add/code/build/npm/gyp/package.json
• .rebase/add/code/package.json
• code/build/npm/gyp/package.json
• code/package.json

---

📝 Walkthrough

Walkthrough

A changelog entry is added referencing PR 661, and the tar dependency is bumped from ^7.5.8 to ^7.5.11 across multiple package.json files. No functional code changes or API modifications.

Changes

Cohort / File(s)	Summary
Documentation .rebase/CHANGELOG.md	New changelog entry added for PR 661 documenting changes to package.json files.
Dependency Version Updates code/package.json, code/build/npm/gyp/package.json, .rebase/add/code/package.json, .rebase/add/code/build/npm/gyp/package.json	tar dependency version bumped from ^7.5.8 to ^7.5.11 in package.json override sections across multiple locations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A version bump hops into view,
From 7.5.8 to 7.5.11 anew!
The changelog records this tiny leap,
Dependencies fresh, the changes run deep.
⬆️ ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: updating the tar dependency to fix a specific CVE vulnerability. It is clear, specific, and directly reflects the changeset's primary objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable the changed files summary in the walkthrough.

Disable the reviews.changed_files_summary setting to disable the changed files summary in the walkthrough.

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-661-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-661-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-661-dev-amd64

[github-actions]

Pull Request images published ✨

Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-661-amd64
Editor arm64: quay.io/che-incubator-pull-requests/che-code:pr-661-arm64
Dev image: quay.io/che-incubator-pull-requests/che-code-dev:pr-661-dev-amd64