build(deps): bump tar and sqlite3

[dependabot]

Bumps tar to 7.5.13 and updates ancestor dependency sqlite3. These dependencies need to be updated together.

Updates tar from 6.2.1 to 7.5.13

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates sqlite3 from 5.1.7 to 6.0.1

Release notes

Sourced from sqlite3's releases.

v6.0.1

• Fixed prebuilt binaries for alpine/musl

Full Changelog: TryGhost/node-sqlite3@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Mark repository as unmaintained by @​lsinger in TryGhost/node-sqlite3#1844
• v6.0.0 — Bump all dependencies, SQLite, and modernise CI by @​jonatansberg in TryGhost/node-sqlite3#1857

New Contributors

• @​lsinger made their first contribution in TryGhost/node-sqlite3#1844
• @​jonatansberg made their first contribution in TryGhost/node-sqlite3#1857

Full Changelog: TryGhost/node-sqlite3@v5.1.7...v6.0.0

Commits

• a7badce v6.0.1
• 0ed0c97 Fixed Alpine/musl builds, replaced QEMU with native ARM runners
• 20a3bd2 v6.0.0
• d808e57 Bumped bundled SQLite from 3.45.0 to 3.52.0
• a962b72 Bumped all dependencies and modernised CI for Node 20+/22+/24+
• 66d054a 2026
• a85f9e8 Mark repository as unmaintained (#1844)
• 528e15a 2025
• 2f0c799 Updated actions/upload-artifact to v4
• 1609684 Updated bundled SQLite to v3.45.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by jonatan-ghost, a new releaser for sqlite3 since your current version.

[cursor]

PR Summary

Medium Risk
Medium risk because it raises the minimum Node version and upgrades sqlite3/native build toolchain, which can break installs or runtime behavior across environments.

Overview
Upgrades Node requirements and dependency stack. CI now tests on Node 20.x and 22.x (dropping 18.x), and package.json raises the minimum supported Node to >=20.17.0.

Bumps sqlite3 to ^6.0.1 and refreshes the lockfile accordingly, pulling in updated native-build and packaging dependencies (notably newer tar, node-gyp, and related fetch/cache libs).

^{Reviewed by Cursor Bugbot for commit 2e62434. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	sqlite3@​5.1.7 ⏵ 6.0.1

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit a9f4b8c. Configure here.}