chore(deps): bump tar, semantic-release and npm

[dependabot]

Removes tar. It's no longer used after updating ancestor dependencies tar, semantic-release and npm. These dependencies need to be updated together.

Removes tar

Updates semantic-release from 24.2.9 to 25.0.5

Release notes

Sourced from semantic-release's releases.

v25.0.5

25.0.5 (2026-06-09)

Bug Fixes

• revert: next (#4200) (db8ffaa)

v25.0.4

25.0.4 (2026-06-09)

Bug Fixes

• code-quality: add missing comma in context object for consistency (493d6cd)

v25.0.3

25.0.3 (2026-01-30)

Bug Fixes

• deps: remove deprecated semver-diff (#3980) (f404124)

v25.0.2

25.0.2 (2025-11-07)

Bug Fixes

• deps: update dependency read-package-up to v12 (#3935) (1494cb9)

v25.0.1

25.0.1 (2025-10-19)

Bug Fixes

• deps: update to the latest version of the npm plugin to add trusted publishing support (fad173e), closes semantic-release/npm#958

v25.0.1-beta.3

25.0.1-beta.3 (2025-10-19)

Bug Fixes

• deps: update to latest npm plugin (a96aced)

... (truncated)

Commits

• db8ffaa fix(revert): next (#4200)
• 4e476de docs: update README to include information about the new core engine integration
• 493d6cd fix(code-quality): add missing comma in context object for consistency
• d05e160 refactor: replace direct logger and env-ci replacements with a mockCore funct...
• 4f464a7 test: add tests for core delegation and dry-run policy handling
• 3f5d1b7 refactor: integrate core; remove unused imports and restructuring the main ...
• 7d71f2e refactor: remove obsolete release type constants and notes separator
• 1ae1a19 refactor: remove obsolete test files for logger, git, sensitive data handling...
• bedddc4 refactor: remove obsolete Git-related utilities and logging functions
• 7172195 refactor(tests): remove obsolete tests for plugins and verification
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for semantic-release since your current version.

Updates npm from 11.7.0 to 11.17.0

Release notes

Sourced from npm's releases.

v11.17.0

11.17.0 (2026-06-11)

Features

• ae8ac4e #9534 add min-release-age-exclude config (@​JamieMagee, @​caseyjhol)
• 8ff3e48 #9483 allowScripts tooling and inBundle hardening (#9483) (@​github-actions[bot], @​JamieMagee)

Bug Fixes

• 847cdf8 #9541 match dotted and versioned args in approve-scripts/deny-scripts (@​owlstronaut)
• d99f7cb #9535 emit valid JSON from approve-scripts/deny-scripts --json (@​owlstronaut)
• 351a309 #9499 pass script-shell to publish lifecycle hooks (#9499) (@​github-actions[bot])
• 4fa81df #9497 recognize allowScripts for local link targets (#9497) (@​github-actions[bot], @​cyphercodes, @​cyphercodes)
• 95cf2e9 #9489 validate registry path for allow-remote tarballs (@​Abhinav-143x)
• 9dd219b #9462 respect allowScripts policy in prune, dedupe, uninstall, audit, and link (#9462) (@​github-actions[bot], @​JamieMagee)
• cd8d18a #9482 list pending scripts in approve-scripts when ignore-scripts is set (#9482) (@​github-actions[bot], @​JamieMagee)
• c14e87c #9481 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9481) (@​github-actions[bot], @​JamieMagee)
• 7ade52e #9465 invalid issue template YAML indentation (#9465) (@​github-actions[bot], @​fallintoplace)
• c069622 #9464 show full parent command path in subcommand usage errors (#9464) (@​owlstronaut)
• 1bb62bb #9454 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@​JamieMagee)
• 84eeb5f #9431 audit: don't apply min-release-age before filter when verifying installed signatures (@​JamieMagee)
• 3bd3377 #9426 block forbidden keys in Queryable setter to prevent prototype pollution (@​12122J, @​claude)

Documentation

• a86a7a9 #9522 approve-scripts only throws EGLOBAL when run with -g (@​JamieMagee)
• 693bb3d #9508 clarify package.json override value specs (#9508) (@​github-actions[bot], @​ded-furby)
• ccffe4a #9501 use the latest version for global update and outdated's wanted (#9501) (@​github-actions[bot], @​liangmiQwQ)
• 66e97c2 #9478 update minimum npm required for npm trust (@​meeech)

Dependencies

• bd09b87 #9542 postcss-selector-parser@7.1.4
• 95bfc4c #9542 tinyglobby@0.2.17
• 8c0d5fd #9542 tar@7.5.16
• 967d377 #9542 semver@7.8.4
• cdaac1b #9542 pacote@21.5.1
• 25c8a9e #9542 node-gyp@12.4.0

Chores

• 2922fa4 #9542 dev dependency updates (@​owlstronaut)
• workspace: @npmcli/arborist@9.8.0
• workspace: @npmcli/config@10.11.0
• workspace: libnpmdiff@8.1.10
• workspace: libnpmexec@10.3.0
• workspace: libnpmfund@7.0.24
• workspace: libnpmpack@9.1.10

v11.16.0

11.16.0 (2026-05-27)

Features

• 4b67f6e #9416 publish --access=private alias for restricted (#9416) (@​github-actions[bot], @​reggi, @​Copilot)
• a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy (#9360) (#9415) (@​owlstronaut, @​JamieMagee)

Bug Fixes

• 1f7869b #9411 fix typo of fullMetadata (@​owlstronaut)
• cde03ba #9390 config: pause progress spinner during interactive editor spawn (#9388) (@​github-actions[bot], @​Zelys-DFKH, @​claude)

Documentation

• c5e9d73 #9390 Document npm_old_version and npm_new_version environment variables (#9389) (@​github-actions[bot], @​36degrees)

... (truncated)

Changelog

Sourced from npm's changelog.

11.17.0 (2026-06-11)

Features

• ae8ac4e #9534 add min-release-age-exclude config (@​JamieMagee, @​caseyjhol)
• 8ff3e48 #9483 allowScripts tooling and inBundle hardening (#9483) (@​github-actions[bot], @​JamieMagee)

Bug Fixes

• 847cdf8 #9541 match dotted and versioned args in approve-scripts/deny-scripts (@​owlstronaut)
• d99f7cb #9535 emit valid JSON from approve-scripts/deny-scripts --json (@​owlstronaut)
• 351a309 #9499 pass script-shell to publish lifecycle hooks (#9499) (@​github-actions[bot])
• 4fa81df #9497 recognize allowScripts for local link targets (#9497) (@​github-actions[bot], @​cyphercodes, @​cyphercodes)
• 95cf2e9 #9489 validate registry path for allow-remote tarballs (@​Abhinav-143x)
• 9dd219b #9462 respect allowScripts policy in prune, dedupe, uninstall, audit, and link (#9462) (@​github-actions[bot], @​JamieMagee)
• cd8d18a #9482 list pending scripts in approve-scripts when ignore-scripts is set (#9482) (@​github-actions[bot], @​JamieMagee)
• c14e87c #9481 suggest --allow-scripts for global installs in unreviewed-scripts warnings (#9481) (@​github-actions[bot], @​JamieMagee)
• 7ade52e #9465 invalid issue template YAML indentation (#9465) (@​github-actions[bot], @​fallintoplace)
• c069622 #9464 show full parent command path in subcommand usage errors (#9464) (@​owlstronaut)
• 1bb62bb #9454 config: clarify --all help so it's accurate for approve-scripts and deny-scripts (@​JamieMagee)
• 84eeb5f #9431 audit: don't apply min-release-age before filter when verifying installed signatures (@​JamieMagee)
• 3bd3377 #9426 block forbidden keys in Queryable setter to prevent prototype pollution (@​12122J, @​claude)

Documentation

• a86a7a9 #9522 approve-scripts only throws EGLOBAL when run with -g (@​JamieMagee)
• 693bb3d #9508 clarify package.json override value specs (#9508) (@​github-actions[bot], @​ded-furby)
• ccffe4a #9501 use the latest version for global update and outdated's wanted (#9501) (@​github-actions[bot], @​liangmiQwQ)
• 66e97c2 #9478 update minimum npm required for npm trust (@​meeech)

Dependencies

• bd09b87 #9542 postcss-selector-parser@7.1.4
• 95bfc4c #9542 tinyglobby@0.2.17
• 8c0d5fd #9542 tar@7.5.16
• 967d377 #9542 semver@7.8.4
• cdaac1b #9542 pacote@21.5.1
• 25c8a9e #9542 node-gyp@12.4.0

Chores

• 2922fa4 #9542 dev dependency updates (@​owlstronaut)
• workspace: @npmcli/arborist@9.8.0
• workspace: @npmcli/config@10.11.0
• workspace: libnpmdiff@8.1.10
• workspace: libnpmexec@10.3.0
• workspace: libnpmfund@7.0.24
• workspace: libnpmpack@9.1.10

11.16.0 (2026-05-27)

Features

• 4b67f6e #9416 publish --access=private alias for restricted (#9416) (@​github-actions[bot], @​reggi, @​Copilot)
• a10c7ca #9415 Phase 1 of allowScripts opt-in install-script policy (#9360) (#9415) (@​owlstronaut, @​JamieMagee)

Bug Fixes

• 1f7869b #9411 fix typo of fullMetadata (@​owlstronaut)
• cde03ba #9390 config: pause progress spinner during interactive editor spawn (#9388) (@​github-actions[bot], @​Zelys-DFKH, @​claude)

Documentation

• c5e9d73 #9390 Document npm_old_version and npm_new_version environment variables (#9389) (@​github-actions[bot], @​36degrees)

Dependencies

• cdd7bbc #9421 undici@6.26.0

... (truncated)

Commits

• 5866280 chore: release 11.17.0
• 2922fa4 chore: dev dependency updates
• bd09b87 deps: postcss-selector-parser@7.1.4
• 95bfc4c deps: tinyglobby@0.2.17
• 8c0d5fd deps: tar@7.5.16
• 967d377 deps: semver@7.8.4
• cdaac1b deps: pacote@21.5.1
• 25c8a9e deps: node-gyp@12.4.0
• 847cdf8 fix: match dotted and versioned args in approve-scripts/deny-scripts
• 5f73e31 feat: differentiate GitHub Actions environments in user-agent (#9517)
• Additional commits viewable in compare view

[cursor]

PR Summary

Low Risk
Lockfile-only dev dependency bumps for release tooling; no production SDK code or runtime dependency changes.

Overview
This PR refreshes dev/release tooling dependencies via the lockfile, mainly bumping semantic-release to 25.0.5 (from the 24.x line) and the bundled npm dev dependency to 11.17.0.

The tar package is dropped from the resolved tree as a standalone concern after the coordinated updates—tar remains only as a transitive dependency inside npm and related install tooling, not as something the SDK uses directly.

There are no changes to SDK source, build scripts, or runtime dependencies beyond what’s implied by the updated lock resolution for release-related dev packages.

^{Reviewed by Cursor Bugbot for commit 05466e5. Bugbot is set up for automated code reviews on this repo. Configure here.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud