chore(repo): bump tar for security advisory

[jacekradko]

Bumps tar to 7.5.11 across the lockfile via a root pnpm override, clearing Dependabot alerts #486, #489, #500, #531, #577, and #583. Before this we had a mix of tar@6.2.1 and tar@7.5.2 pulled in transitively; the override collapses both to 7.5.11. Empty changeset since nothing published changes.

[changeset-bot]

🦋 Changeset detected

Latest commit: 11cf67d

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 0 packages

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clerk-js-sandbox	Ready	Preview, Comment	May 28, 2026 4:33pm

[pkg-pr-new]

Open in StackBlitz

@clerk/astro

npm i https://pkg.pr.new/@clerk/astro@8683

@clerk/backend

npm i https://pkg.pr.new/@clerk/backend@8683

@clerk/chrome-extension

npm i https://pkg.pr.new/@clerk/chrome-extension@8683

@clerk/clerk-js

npm i https://pkg.pr.new/@clerk/clerk-js@8683

@clerk/dev-cli

npm i https://pkg.pr.new/@clerk/dev-cli@8683

@clerk/expo

npm i https://pkg.pr.new/@clerk/expo@8683

@clerk/expo-passkeys

npm i https://pkg.pr.new/@clerk/expo-passkeys@8683

@clerk/express

npm i https://pkg.pr.new/@clerk/express@8683

@clerk/fastify

npm i https://pkg.pr.new/@clerk/fastify@8683

@clerk/hono

npm i https://pkg.pr.new/@clerk/hono@8683

@clerk/localizations

npm i https://pkg.pr.new/@clerk/localizations@8683

@clerk/nextjs

npm i https://pkg.pr.new/@clerk/nextjs@8683

@clerk/nuxt

npm i https://pkg.pr.new/@clerk/nuxt@8683

@clerk/react

npm i https://pkg.pr.new/@clerk/react@8683

@clerk/react-router

npm i https://pkg.pr.new/@clerk/react-router@8683

@clerk/shared

npm i https://pkg.pr.new/@clerk/shared@8683

@clerk/tanstack-react-start

npm i https://pkg.pr.new/@clerk/tanstack-react-start@8683

@clerk/testing

npm i https://pkg.pr.new/@clerk/testing@8683

@clerk/ui

npm i https://pkg.pr.new/@clerk/ui@8683

@clerk/upgrade

npm i https://pkg.pr.new/@clerk/upgrade@8683

@clerk/vue

npm i https://pkg.pr.new/@clerk/vue@8683

commit: 11cf67d

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR applies a security patch to the tar package by pinning it to version 7.5.11. The change adds a pnpm override entry to package.json that forces any tar version below 7.5.11 to resolve to 7.5.11, ensuring the fixed version is installed across the monorepo. A Changeset entry documents this security-driven version update.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• clerk/javascript#8616: Similar structure combining a Changeset file with package.json override adjustments for a security dependency fix.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping the tar dependency for security reasons, which matches the PR's primary objective of addressing security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The pull request description clearly explains the security bump for tar to version 7.5.11, references specific Dependabot alerts being addressed, and describes the pnpm override approach used.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}