Fix tar-fs dependabot alerts v3

[nicktrn]

v3 of tar-fs was also affected

[changeset-bot]

⚠️ No Changeset found

Latest commit: aaa699a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The changes include updating the versions of the @testcontainers/postgresql, @testcontainers/redis, and testcontainers packages in the devDependencies section of internal-packages/testcontainers/package.json from ^10.25.0 to ^10.28.0. Additionally, the root package.json was modified to add a new entry in the pnpm.overrides section, specifying that tar-fs should be pinned to version 3.0.9 when used as a dependency of testcontainers@10.28.0. No other dependencies, scripts, or exported entities were changed.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1b62b34 and aaa699a.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• internal-packages/testcontainers/package.json (1 hunks)
• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (19)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (10, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 10)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 10)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (9, 10)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 10)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: typecheck / typecheck
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (3)

internal-packages/testcontainers/package.json (2)

14-15:

✅ Verification successful

Bump @testcontainers/postgresql and @testcontainers/redis to ^10.28.0
Updating these devDependencies should include security fixes and minor improvements. Please confirm no breaking changes were introduced in these patch versions.

Confirm by running:

---

🏁 Script executed:

npm info @testcontainers/postgresql@10.28.0
npm info @testcontainers/redis@10.28.0

Length of output: 2363

---

✅ Patch-only update verified
Both @testcontainers/postgresql@10.28.0 and @testcontainers/redis@10.28.0 are patch releases (no major version bump) and depend on testcontainers@^10.28.0. According to semver, patch updates shouldn’t introduce breaking changes. No issues found—proceed with the bump.

---

18-18:

✅ Verification successful

Upgrade testcontainers to ^10.28.0
Ensure the core testcontainers package bump aligns with the updated plugins and that all integration tests pass against this version.

You can verify with:

---

🏁 Script executed:

npm info testcontainers@10.28.0

Length of output: 1607

---

Upgrade to testcontainers@^10.28.0 Verified
Version 10.28.0 is published on npm and matches the dependency in internal-packages/testcontainers/package.json (line 18).
Everything looks good—no further changes required. Please confirm your integration tests pass against this version.

package.json (1)

86-87: Add pnpm override for tar-fs@3.0.9 under testcontainers@10.28.0
This pins tar-fs to a non-vulnerable version for the updated testcontainers. After merging, run pnpm install --frozen-lockfile and pnpm why tar-fs to ensure the override is applied correctly across all workspaces.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.