refactor: Bump tar, npm and mongodb-runner

[dependabot]

Bumps tar to 7.5.13 and updates ancestor dependencies tar, npm and mongodb-runner. These dependencies need to be updated together.

Updates tar from 6.2.1 to 7.5.13

Changelog

Sourced from tar's changelog.

Changelog

7.5

• Added zstd compression support.
• Consistent TOCTOU behavior in sync t.list
• Only read from ustar block if not specified in Pax
• Fix sync tar.list when file size reduces while reading
• Sanitize absolute linkpaths properly
• Prevent writing hardlink entries to the archive ahead of their file target

7.4

• Deprecate onentry in favor of onReadEntry for clarity.

7.3

• Add onWriteEntry option

7.2

• DRY the command definitions into a single makeCommand method, and update the type signatures to more appropriately infer the return type from the options and arguments provided.

7.1

• Update minipass to v7.1.0
• Update the type definitions of write() and end() methods on Unpack and Parser classes to be compatible with the NodeJS.WritableStream type in the latest versions of @types/node.

7.0

• Drop support for node <18
• Rewrite in TypeScript, provide ESM and CommonJS hybrid interface
• Add tree-shake friendly exports, like import('tar/create') and import('tar/read-entry') to get individual functions or classes.
• Add chmod option that defaults to false, and deprecate noChmod. That is, reverse the default option regarding explicitly setting file system modes to match tar entry settings.
• Add processUmask option to avoid having to call process.umask() when chmod: true (or noChmod: false) is set.

... (truncated)

Commits

• d6611ae 7.5.13
• 119c401 fix(extract): prevent raced symlink writes outside cwd
• 2a294d3 7.5.12
• 01082a4 fix: reject top promise on floating addFilesAsync rejections
• dd1c36a linting
• 35a1ffe doc: more clarity in security warning
• bf776f6 7.5.11
• f48b5fa prevent escaping symlinks with drive-relative paths
• 97cff15 docs: more security info
• 2b72abc 7.5.10
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates npm from 10.8.1 to 10.9.8

Release notes

Sourced from npm's releases.

v10.9.8

Dependencies

• workspace: @npmcli/arborist@8.0.5
• workspace: libnpmdiff@7.0.5
• workspace: libnpmexec@9.0.5
• workspace: libnpmfund@6.0.5
• workspace: libnpmpack@8.0.5

v10.9.7

10.9.7 (2026-03-18)

Bug Fixes

• bbcd455 #9120 arborist: v10 - backport store, lock-only, and override sibling fixes (#9120) (@​manzoorwanijk)

Dependencies

• cc9a4de #9130 hoist production @​sigstore dependencies

Chores

• e5c1309 #9130 dev dependency updates (@​wraithgar)
• workspace: @npmcli/arborist@8.0.4
• workspace: libnpmdiff@7.0.4
• workspace: libnpmexec@9.0.4
• workspace: libnpmfund@6.0.4
• workspace: libnpmpack@8.0.4

v10.9.6

10.9.6 (2026-03-10)

Bug Fixes

• d6fe671 #9098 arborist: v10 - backport multiple fixes for linked install (#9098) (@​manzoorwanijk)

Dependencies

• a5dadad #9067 tar@7.5.11
• 87abb92 #9067 pacote@20.0.1
• c2f0fd2 #9067 pacote@19.0.2
• workspace: @npmcli/arborist@8.0.3
• workspace: libnpmdiff@7.0.3
• workspace: libnpmexec@9.0.3
• workspace: libnpmfund@6.0.3
• workspace: libnpmpack@8.0.3

v10.9.5

10.9.5 (2026-03-04)

Bug Fixes

• 794f6c8 #9011 backport linked strategy fixes from multiple PRs to v10 (#9011) (@​manzoorwanijk)

Dependencies

• 6717032 #9056 tuf-js@3.1.0
• e4e25ea #9056 tinyglobby@0.2.15
• 9464329 #9056 socks@2.8.7
• 23c3e17 #9056 postcss-selector-parser@7.1.1
• 77f9c29 #9056 p-map@7.0.4
• f1a0315 #9056 npm-install-checks@7.1.2
• ad7d3ac #9056 normalize-package-data@7.0.1
• 63a7c82 #9056 node-gyp@11.5.0

... (truncated)

Commits

• dd3c80e chore: release 10.9.8
• 8aa9c82 fix: eagerly require promise-retry to survive self-upgrade
• 58c302d chore: release 10.9.7
• e5c1309 chore: dev dependency updates
• cc9a4de deps: hoist production @​sigstore dependencies
• bbcd455 fix(arborist): v10 - backport store, lock-only, and override sibling fixes (#...
• 49a764e chore: release 10.9.6
• d6fe671 fix(arborist): v10 - backport multiple fixes for linked install (#9098)
• ebd09c3 fix(arborist): backport linked strategy hoisting fixes to v10 (#9084)
• a5dadad deps: tar@7.5.11
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by owlstronaut, a new releaser for npm since your current version.

Updates mongodb-runner from 5.9.3 to 6.7.3

Commits

• cd56f7e chore(ci): bump packages
• cb4f99f fix: default condition should be last one (#629)
• 2d1269d chore(ci): bump packages
• 31173a2 fix(mongodb-server-log-checker): ignore warnings from internal clients (#627)
• b85e3f1 chore(ci): bump packages
• 061e7c3 feat(mongodb-server-log-checker): add package (#624)
• 63b1749 chore(ci): bump packages
• 18cc55e chore(mongodb-downloader): bump tar VSCODE-753 (#625)
• fabfa55 chore(ci): bump packages
• 40879b8 fix(mongodb-runner): configsvr must always use 127.0.0.1 DRIVERS-3335 (#620)
• Additional commits viewable in compare view

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[parse-github-assistant]

I will reformat the title to use the proper commit message syntax.

[mtrezza]

Closing this Dependabot PR. The mongodb-runner 6.x upgrade causes consistent CI failures on replica set topology tests.

There is a bug in mongodb-runner 6.x where the removePortArg function in mongocluster.ts incorrectly handles the --port flag removal for secondary replica set members: it removes only the port value but leaves the --port flag, resulting in invalid arguments being passed to mongod secondary processes. This causes the "Server log output did not include port or socket" error.

See #10421 for the detailed analysis.

This upgrade should be revisited after the upstream bug is fixed in mongodb-runner.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.