chore(security): bump transitive node-tar to >=7.5.11 (clear 6 high advisories)

[xuyushun441-sys]

Summary

Clears the Validate Dependencies gate (pnpm audit --audit-level=high), which was red on main with 6 high-severity advisories — all the same dependency, node-tar@6.2.1, pulled transitively by sqlite3's node-gyp toolchain (driver-sql → sqlite3 → … → tar).

sqlite3 is only an optional peer of driver-sql (the real sqlite driver is better-sqlite3) and its build script is pnpm-ignored, so the vulnerable tar was never executed — but the audit gate flags it regardless.

Fix

Scoped pnpm.override:

"tar@>=2.0.0 <7.5.11": "^7.5.11"

• Bumps every vulnerable node-tar (6.2.1) to a patched 7.5.x+ — patched versions (7.5.15, 7.9.0) already resolved elsewhere in the tree.
• The >=2.0.0 lower bound deliberately leaves the unrelated ancient tar@1.1.11 (a different package line) untouched.

Advisories cleared: GHSA-34x7-hfp2-rc4v, -8qq5-rm4j-mr97, -83g3-92jg-28cx, -qffp-2rhf-9h96, -9ppj-qmqm-q256, -r6q2-hw4h-h46w.

Verification

• pnpm audit --audit-level=high → exit 0 (0 high / 0 critical; 2 low + 5 moderate remain, below the gate threshold).
• pnpm install --frozen-lockfile → clean; check-changeset-fixed.mjs → in sync.
• tar@6.2.1 no longer in the lockfile; tar@1.1.11 preserved.
• @objectstack/driver-sql build + 132 tests pass.

Lockfile/override-only; no published package code changes (empty changeset).

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spec	Ready	Preview, Comment	Jun 1, 2026 10:31pm