Skip to content

Comments

chore: upgrade tar resolution#4449

Merged
mergify[bot] merged 1 commit intomasterfrom
chore-upgrade-tar
Feb 20, 2026
Merged

chore: upgrade tar resolution#4449
mergify[bot] merged 1 commit intomasterfrom
chore-upgrade-tar

Conversation

@tjuanitas
Copy link
Contributor

@tjuanitas tjuanitas commented Feb 20, 2026
edited by coderabbitai bot
Loading

https://github.com/box/box-ui-elements/security/dependabot/352

Summary by CodeRabbit

  • Chores
    • Updated dependency version pinning in package configuration to ensure compatibility and consistency across the project.

@tjuanitas tjuanitas requested a review from a team as a code owner February 20, 2026 19:20
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Feb 20, 2026
edited
Loading

Walkthrough

This pull request updates the package.json resolutions field to pin specific versions of the tar and qs dependencies. The tar version is updated from ^7.5.7 to ^7.5.8, and qs is changed from 6.14.1 to ^6.14.1 with caret notation added.

Changes

Cohort / File(s) Summary
Dependency Resolution Updates
package.json		 Updated resolutions block to pin tar to ^7.5.8 (from ^7.5.7) and qs to ^6.14.1 (from 6.14.1). The resolutions block appears to be duplicated across multiple locations in the file.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

  • chore(deps): upgrade tar #4426: Updates tar dependency pinning in resolutions; this PR continues that work by bumping tar from ^7.5.7 to ^7.5.8 while also adjusting qs versioning.

Suggested labels

ready-to-merge

Suggested reviewers

  • jpan-box
  • greg-in-a-box

Poem

🐰 A rabbit hops through JSON neat,
Updating tar and qs so sweet,
Versions pinned with caret care,
Dependencies now perfectly paired! 📦✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description only contains a link to a Dependabot advisory and lacks the structured information required by the repository template, including context about the change and merge instructions. Expand the description to explain the security update, the reason for upgrading tar and qs versions, and provide context about the Dependabot advisory being addressed.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title 'chore: upgrade tar resolution' directly reflects the main change—updating the tar package version from ^7.5.7 to ^7.5.8 in package.json resolutions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch chore-upgrade-tar

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Feb 20, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 361: The PR widened the dependency constraint for the package "qs" in
package.json from an exact pin to a caret range ("qs": "^6.14.1"), which is
outside the scope of the tar-focused change — revert this by restoring the exact
pin ("qs": "6.14.1") in package.json (look for the "qs" entry) or, if widening
is intentional, add a clear justification to the PR description explaining why
the change is needed and acceptable; ensure the package.json change and PR
message remain consistent.

@mergify mergify bot added the queued label Feb 20, 2026
@mergify mergify bot merged commit fe26ad7 into master Feb 20, 2026
12 checks passed
@mergify mergify bot deleted the chore-upgrade-tar branch February 20, 2026 21:43
@mergify
Copy link
Contributor

mergify bot commented Feb 20, 2026

Merge Queue Status

Rule: Automatic strict merge

  • Entered queue2026-02-20 21:43 UTC
  • Checks passed · in-place
  • Merged2026-02-20 21:43 UTC · at adadadfe876dab8cd4488117b927946399a8a402

This pull request spent 5 seconds in the queue, with no time running CI.

Required conditions to merge
  • #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
  • branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
  • any of [🛡 GitHub branch protection]:
    • check-success = Summary
    • check-neutral = Summary
    • check-skipped = Summary
  • any of [🛡 GitHub branch protection]:
    • check-success = lint_test_build
    • check-neutral = lint_test_build
    • check-skipped = lint_test_build
  • any of [🛡 GitHub branch protection]:
    • check-success = license/cla
    • check-neutral = license/cla
    • check-skipped = license/cla
  • any of [🛡 GitHub branch protection]:
    • check-success = lint_pull_request
    • check-neutral = lint_pull_request
    • check-skipped = lint_pull_request

@mergify mergify bot removed the queued label Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@reneshen0328 reneshen0328 reneshen0328 approved these changes

@tjiang-box tjiang-box tjiang-box approved these changes

Assignees

No one assigned

Labels

ready-to-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tjuanitas @reneshen0328 @tjiang-box