From 3a5e90521456f06089e3344c553c6ddb2b9c7420 Mon Sep 17 00:00:00 2001
From: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Date: Wed, 18 Mar 2026 23:51:56 +0000
Subject: [PATCH] fix: add tar and undici as direct devDependencies for
 Dependabot resolution

Dependabot security update runs are failing because it cannot resolve
patched versions of tar (>=7.5.11) and undici (>=7.24.0) through
transitive dependency chains. While npm overrides already mitigate the
vulnerabilities locally, Dependabot's resolver doesn't honor overrides.

Adding these as explicit devDependencies lets Dependabot see and
resolve the patched versions directly.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 package-lock.json | 2 ++
 package.json      | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/package-lock.json b/package-lock.json
index 07bbb72..aba8e52 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -21,6 +21,8 @@
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-router-dom": "^5.3.0",
+        "tar": "^7.5.11",
+        "undici": "^7.24.3",
         "vitest": "^3.0.5"
       },
       "peerDependencies": {
diff --git a/package.json b/package.json
index 361e4f6..296298c 100644
--- a/package.json
+++ b/package.json
@@ -47,6 +47,8 @@
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^5.3.0",
+    "tar": "^7.5.11",
+    "undici": "^7.24.3",
     "vitest": "^3.0.5"
   }
 }
-- 
2.52.0