[CVE-2025-59343] Bump tar-fs from 2.1.3 to 2.1.4 and from 3.1.0 to 3.1.1

[ananzh]

Description

Bump tar-fs to patched version 2.14 and 3.1.1

=> Found "[email protected]"
info Has been hoisted to "tar-fs"
info Reasons this module exists
   - "workspace-aggregator-3fedba17-9655-4d13-b6ab-c75e2e662b0d" depends on it
   - Hoisted from "_project_#@osd#opensearch#tar-fs"
   - Hoisted from "_project_#@osd#test#tar-fs"
info Disk size without dependencies: "96KB"
info Disk size with unique dependencies: "208KB"
info Disk size with transitive dependencies: "820KB"
info Number of shared dependencies: 15
=> Found "@puppeteer/browsers#[email protected]"
info This module exists because "_project_#@puppeteer#browsers" depends on it.
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "104KB"
info Disk size with transitive dependencies: "716KB"
info Number of shared dependencies: 13
=> Found "lighthouse#[email protected]"
info Reasons this module exists
   - "_project_#@lhci#cli#lighthouse#puppeteer-core#@puppeteer#browsers" depends on it
   - Hoisted from "_project_#@lhci#cli#lighthouse#puppeteer-core#@puppeteer#browsers#tar-fs"
info Disk size without dependencies: "28KB"
info Disk size with unique dependencies: "104KB"
info Disk size with transitive dependencies: "716KB"
info Number of shared dependencies: 13

Issue Resolved

#10578

Changelog

• security: [CVE-2025-59343] Bump tar-fs from 2.1.3 to 2.1.4 and from 3.1.0 to 3.1.1

Check List

• All tests pass
  • yarn test:jest
  • yarn test:jest_integration
• New functionality includes testing.
• New functionality has been documented.
• Update CHANGELOG.md
• Commits are signed per the DCO using --signoff

[github-actions]

❌ Empty Changelog Section

The Changelog section in your PR description is empty. Please add a valid changelog entry or entries. If you did add a changelog entry, check to make sure that it was not accidentally included inside the comment block in the Changelog section.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.75%. Comparing base (a1d2e7b) to head (7ca3582).

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #10910   +/-   ##
=======================================
  Coverage   60.75%   60.75%           
=======================================
  Files        4533     4533           
  Lines      122209   122209           
  Branches    20483    20483           
=======================================
  Hits        74250    74250           
  Misses      42719    42719           
  Partials     5240     5240           

Flag	Coverage Δ
Linux_1	26.57% <ø> (ø)
Linux_2	38.92% <ø> (ø)
Linux_3	39.44% <ø> (ø)
Linux_4	33.74% <ø> (ø)
Windows_1	26.58% <ø> (ø)
Windows_2	38.90% <ø> (ø)
Windows_3	39.45% <ø> (+<0.01%)	⬆️
Windows_4	33.74% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[LDrago27]

@ananzh Do we need to update the puppeter and lighthouse versions for this fix. Or Is the yarn.lock update fine.