chore(deps): clear vulnerable transitive deps (tar, flatted)

[dpage]

Summary

Clears open Dependabot HIGH security advisories for transitive npm dependencies that have no direct manifest entry — so Dependabot can't auto-open fix PRs for them (unlike paramiko, which has #9927).

tar (6 × HIGH — GHSA-9ppj-qmqm-q256 and related)

An old tar@6.2.1 was dragged in through a single chain:

@vusion/webfonts-generator@0.8.0 (pins ttf2woff2@^4.0.4)
  └─ ttf2woff2@4.0.5
       └─ node-gyp@9.4.1 ──► tar@6.2.1
            └─ make-fetch-happen@10 ─► cacache@16 ─► tar@6.2.1

ttf2woff2 6+ switched to an ESM/type: module default export, which breaks @vusion/webfonts-generator's callable usage (ttf2woff2(buf) → "ttf2woff2 is not a function"). So instead of bumping ttf2woff2, this overrides its node-gyp via a scoped resolution:

"ttf2woff2/node-gyp": "^11.2.0"

That modernises the whole sub-tree (node-gyp 11, make-fetch-happen 14/15, cacache 19/20) onto tar@7.5.16, while keeping ttf2woff2@4.0.5 so webfont generation keeps working. node-gyp@9 / cacache@16 / tar@6.2.1 are fully removed from web/yarn.lock.

flatted (1 × HIGH — GHSA-rf6f-7fwh-wjgh)

Bumped 3.4.1 → 3.4.2 in the Electron runtime/ lockfile (already in-range; the pin was just stale).

Out of scope

• paramiko (2 × LOW) — already covered by Dependabot PR Python dependency: Bump paramiko from 3.5.1 to 5.0.0 #9927.
• elliptic (1 × LOW) — no patched version available upstream; tracked only.

Test plan

• yarn install builds ttf2woff2's native addon with node-gyp@11.
• yarn webpacker compiles successfully and regenerates the icon webfonts (verified the .woff2 artifacts are freshly written — this is the step that exercises ttf2woff2).
• yarn run test:js-once — 829/829 pass, eslint clean.
• Confirmed the web/yarn.lock changes are confined to the install/build toolchain; no application-facing dependency shifted.

Summary by CodeRabbit

• Chores
  • Updated vulnerable transitive dependencies to clear security advisories and protect against potential vulnerabilities.
  • Configured dependency version overrides to ensure optimal compatibility and stability.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2f6e9dea-71a6-4f0d-8594-553bafbb1123

📥 Commits

Reviewing files that changed from the base of the PR and between 4c5702d and f393902.

⛔ Files ignored due to path filters (2)

• runtime/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• web/yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• docs/en_US/release_notes_9_16.rst
• web/package.json

---

Walkthrough

This PR adds a Yarn dependency resolution override for ttf2woff2/node-gyp (^11.2.0) to address a transitive dependency vulnerability, and documents the fix in the v9.16 release notes under Housekeeping for Issue #10049.

Changes

Dependency security resolution

Layer / File(s)	Summary
Dependency resolution and housekeeping documentation web/package.json, docs/en_US/release_notes_9_16.rst	Yarn resolutions is updated to pin ttf2woff2/node-gyp to ^11.2.0, and release notes are updated with a Housekeeping entry documenting the bump of vulnerable transitive dependencies (tar, flatted) for Issue #10049.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• pgadmin-org/pgadmin4#10048: Both PRs modify the v9.16 release notes file, with #10048 scaffolding the template and this PR adding a Housekeeping entry.
• pgadmin-org/pgadmin4#10023: Related PR that includes broader web/package.json resolutions updates covering the same transitive dependency patching work (tar@npm version pinning).

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: clearing vulnerable transitive dependencies (tar and flatted), which matches the PR's core objective to resolve Dependabot HIGH security advisories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}