From 0476fd1076f7d101b16a20d6337f6c1f61ed6003 Mon Sep 17 00:00:00 2001
From: "gandalf-the-greybeard[bot]"
 <266323920+gandalf-the-greybeard[bot]@users.noreply.github.com>
Date: Wed, 18 Mar 2026 23:54:21 +0000
Subject: [PATCH] fix: add tar and undici as direct devDependencies for
 Dependabot resolution (#68)

Dependabot security update runs are failing because it cannot resolve
patched versions of tar (>=7.5.11) and undici (>=7.24.0) through
transitive dependency chains. While npm overrides already mitigate the
vulnerabilities locally, Dependabot's resolver doesn't honor overrides.

Adding these as explicit devDependencies lets Dependabot see and
resolve the patched versions directly.

Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 package-lock.json | 2 ++
 package.json      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/package-lock.json b/package-lock.json
index 07bbb72..aba8e52 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -21,6 +21,8 @@
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-router-dom": "^5.3.0",
+        "tar": "^7.5.11",
+        "undici": "^7.24.3",
         "vitest": "^3.0.5"
       },
       "peerDependencies": {
diff --git a/package.json b/package.json
index 361e4f6..296298c 100644
--- a/package.json
+++ b/package.json
@@ -47,6 +47,8 @@
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^5.3.0",
+    "tar": "^7.5.11",
+    "undici": "^7.24.3",
     "vitest": "^3.0.5"
   }
 }