chore(deps): bump tar and npm by dependabot[bot] · Pull Request #28 · Doist/comms-cli

dependabot · 2026-06-15T21:29:00Z

Removes tar. It's no longer used after updating ancestor dependency npm. These dependencies need to be updated together.

Removes tar

Updates npm from 11.14.1 to 11.17.0

Release notes

Sourced from npm's releases.

v11.17.0

11.17.0 (2026-06-11)

Features

ae8ac4e #9534 add min-release-age-exclude config (@JamieMagee, @caseyjhol)

8ff3e48 #9483 allowScripts tooling and inBundle hardening (#9483) (@github-actions[bot], @JamieMagee)

Bug Fixes

847cdf8 #9541 match dotted and versioned args in approve-scripts/deny-scripts (@owlstronaut)

d99f7cb #9535 emit valid JSON from approve-scripts/deny-scripts --json (@owlstronaut)

351a309 #9499 pass script-shell to publish lifecycle hooks (#9499) (@github-actions[bot])

4fa81df #9497 recognize allowScripts for local link targets (#9497) (@github-actions[bot], @cyphercodes, @cyphercodes)

95cf2e9 #9489 validate registry path for allow-remote tarballs (@Abhinav-143x)

9dd219b #9462 respect allowScripts policy in prune, dedupe, uninstall, audit, and link (#9462) (@github-actions[bot], @JamieMagee)

cd8d18a #9482 list pending scripts in approve-scripts when ignore-scripts is set (#9482) (@github-actions[bot], @JamieMagee)

c14e87c #9481 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9481) (@github-actions[bot], @JamieMagee)

7ade52e #9465 invalid issue template YAML indentation (#9465) (@github-actions[bot], @fallintoplace)

c069622 #9464 show full parent command path in subcommand usage errors (#9464) (@owlstronaut)

1bb62bb #9454 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)

84eeb5f #9431 audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)

3bd3377 #9426 block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)

Documentation

a86a7a9 #9522 approve-scripts only throws EGLOBAL when run with -g (@JamieMagee)

693bb3d #9508 clarify package.json override value specs (#9508) (@github-actions[bot], @ded-furby)

ccffe4a #9501 use the latest version for global update and outdated's wanted (#9501) (@github-actions[bot], @liangmiQwQ)

66e97c2 #9478 update minimum npm required for npm trust (@meeech)

Dependencies

bd09b87 #9542 postcss-selector-parser@7.1.4

95bfc4c #9542 tinyglobby@0.2.17

8c0d5fd #9542 tar@7.5.16

967d377 #9542 semver@7.8.4

cdaac1b #9542 pacote@21.5.1

25c8a9e #9542 node-gyp@12.4.0

Chores

2922fa4 #9542 dev dependency updates (@owlstronaut)

workspace: @npmcli/arborist@9.8.0

workspace: @npmcli/config@10.11.0

workspace: libnpmdiff@8.1.10

workspace: libnpmexec@10.3.0

workspace: libnpmfund@7.0.24

workspace: libnpmpack@9.1.10

v11.16.0

11.16.0 (2026-05-27)

Features

4b67f6e #9416 publish --access=private alias for restricted (#9416) (@github-actions[bot], @reggi, @Copilot)

a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy (#9360) (#9415) (@owlstronaut, @JamieMagee)

Bug Fixes

1f7869b #9411 fix typo of fullMetadata (@owlstronaut)

cde03ba #9390 config: pause progress spinner during interactive editor spawn (#9388) (@github-actions[bot], @Zelys-DFKH, @claude)

Documentation

c5e9d73 #9390 Document npm_old_version and npm_new_version environment variables (#9389) (@github-actions[bot], @36degrees)

... (truncated)

Changelog

Sourced from npm's changelog.

11.17.0 (2026-06-11)

Features

ae8ac4e #9534 add min-release-age-exclude config (@JamieMagee, @caseyjhol)

8ff3e48 #9483 allowScripts tooling and inBundle hardening (#9483) (@github-actions[bot], @JamieMagee)

Bug Fixes

847cdf8 #9541 match dotted and versioned args in approve-scripts/deny-scripts (@owlstronaut)

d99f7cb #9535 emit valid JSON from approve-scripts/deny-scripts --json (@owlstronaut)

351a309 #9499 pass script-shell to publish lifecycle hooks (#9499) (@github-actions[bot])

4fa81df #9497 recognize allowScripts for local link targets (#9497) (@github-actions[bot], @cyphercodes, @cyphercodes)

95cf2e9 #9489 validate registry path for allow-remote tarballs (@Abhinav-143x)

9dd219b #9462 respect allowScripts policy in prune, dedupe, uninstall, audit, and link (#9462) (@github-actions[bot], @JamieMagee)

cd8d18a #9482 list pending scripts in approve-scripts when ignore-scripts is set (#9482) (@github-actions[bot], @JamieMagee)

c14e87c #9481 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9481) (@github-actions[bot], @JamieMagee)

7ade52e #9465 invalid issue template YAML indentation (#9465) (@github-actions[bot], @fallintoplace)

c069622 #9464 show full parent command path in subcommand usage errors (#9464) (@owlstronaut)

1bb62bb #9454 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@JamieMagee)

84eeb5f #9431 audit: don't apply min-release-age before filter when verifying installed signatures (@JamieMagee)

3bd3377 #9426 block forbidden keys in Queryable setter to prevent prototype pollution (@12122J, @claude)

Documentation

a86a7a9 #9522 approve-scripts only throws EGLOBAL when run with -g (@JamieMagee)

693bb3d #9508 clarify package.json override value specs (#9508) (@github-actions[bot], @ded-furby)

ccffe4a #9501 use the latest version for global update and outdated's wanted (#9501) (@github-actions[bot], @liangmiQwQ)

66e97c2 #9478 update minimum npm required for npm trust (@meeech)

Dependencies

bd09b87 #9542 postcss-selector-parser@7.1.4

95bfc4c #9542 tinyglobby@0.2.17

8c0d5fd #9542 tar@7.5.16

967d377 #9542 semver@7.8.4

cdaac1b #9542 pacote@21.5.1

25c8a9e #9542 node-gyp@12.4.0

Chores

2922fa4 #9542 dev dependency updates (@owlstronaut)

workspace: @npmcli/arborist@9.8.0

workspace: @npmcli/config@10.11.0

workspace: libnpmdiff@8.1.10

workspace: libnpmexec@10.3.0

workspace: libnpmfund@7.0.24

workspace: libnpmpack@9.1.10

11.16.0 (2026-05-27)

Features

4b67f6e #9416 publish --access=private alias for restricted (#9416) (@github-actions[bot], @reggi, @Copilot)

a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy (#9360) (#9415) (@owlstronaut, @JamieMagee)

Bug Fixes

1f7869b #9411 fix typo of fullMetadata (@owlstronaut)

cde03ba #9390 config: pause progress spinner during interactive editor spawn (#9388) (@github-actions[bot], @Zelys-DFKH, @claude)

Documentation

c5e9d73 #9390 Document npm_old_version and npm_new_version environment variables (#9389) (@github-actions[bot], @36degrees)

Dependencies

cdd7bbc #9421 undici@6.26.0

... (truncated)

Commits

5866280 chore: release 11.17.0
2922fa4 chore: dev dependency updates
bd09b87 deps: postcss-selector-parser@7.1.4
95bfc4c deps: tinyglobby@0.2.17
8c0d5fd deps: tar@7.5.16
967d377 deps: semver@7.8.4
cdaac1b deps: pacote@21.5.1
25c8a9e deps: node-gyp@12.4.0
847cdf8 fix: match dotted and versioned args in approve-scripts/deny-scripts
5f73e31 feat: differentiate GitHub Actions environments in user-agent (#9517)
Additional commits viewable in compare view

doistbot

This PR updates chore(deps): bump tar and npm. No issues were flagged in the reviewed diff.

_{Share Feedback • Review Logs}

scottlovegrove · 2026-06-26T16:07:36Z

@dependabot rebase

Removes [tar](https://github.com/isaacs/node-tar). It's no longer used after updating ancestor dependency [npm](https://github.com/npm/cli). These dependencies need to be updated together. Removes `tar` Updates `npm` from 11.14.1 to 11.17.0 - [Release notes](https://github.com/npm/cli/releases) - [Changelog](https://github.com/npm/cli/blob/v11.17.0/CHANGELOG.md) - [Commits](npm/cli@v11.14.1...v11.17.0) --- updated-dependencies: - dependency-name: npm dependency-version: 11.17.0 dependency-type: indirect - dependency-name: tar dependency-version: dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

doist-release-bot · 2026-06-26T17:37:37Z

🎉 This PR is included in version 1.9.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026

doistbot reviewed Jun 15, 2026

View reviewed changes

dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-79a8a94197 branch from 6c0c67a to 9cea162 Compare June 18, 2026 12:21

dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-79a8a94197 branch from 9cea162 to dc816c4 Compare June 26, 2026 16:08

scottlovegrove merged commit 425b434 into main Jun 26, 2026
5 checks passed

scottlovegrove deleted the dependabot/npm_and_yarn/multi-79a8a94197 branch June 26, 2026 16:11

doist-release-bot Bot added the released label Jun 26, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump tar and npm#28

chore(deps): bump tar and npm#28
scottlovegrove merged 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-79a8a94197

dependabot Bot commented on behalf of github Jun 15, 2026 •

edited

Loading

Uh oh!

doistbot left a comment

Uh oh!

scottlovegrove commented Jun 26, 2026

Uh oh!

Uh oh!

doist-release-bot Bot commented Jun 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v11.17.0

11.17.0 (2026-06-11)

Features

Bug Fixes

Documentation

Dependencies

Chores

v11.16.0

11.16.0 (2026-05-27)

Features

Bug Fixes

Documentation

11.17.0 (2026-06-11)

Features

Bug Fixes

Documentation

Dependencies

Chores

11.16.0 (2026-05-27)

Features

Bug Fixes

Documentation

Dependencies

Uh oh!

doistbot left a comment

Choose a reason for hiding this comment

Uh oh!

scottlovegrove commented Jun 26, 2026

Uh oh!

Uh oh!

doist-release-bot Bot commented Jun 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

dependabot Bot commented on behalf of github Jun 15, 2026 •

edited

Loading