fix: update tar to resolve CVE-2026-31802

[dannyneira]

Summary

• Adds an npm override in examples/canvas_webgl_minimal/www/package.json to force transitive tar to 7.5.11.
• Regenerates the npm v1 lockfile so examples/canvas_webgl_minimal/www/package-lock.json resolves tar@7.5.11.

Vulnerabilities resolved

• https://github.com/warpdotdev/pathfinder/security/dependabot/63 — CVE-2026-23745 / GHSA-8qq5-rm4j-mr97
• https://github.com/warpdotdev/pathfinder/security/dependabot/64 — CVE-2026-23950 / GHSA-r6q2-hw4h-h46w
• https://github.com/warpdotdev/pathfinder/security/dependabot/66 — CVE-2026-24842 / GHSA-34x7-hfp2-rc4v
• https://github.com/warpdotdev/pathfinder/security/dependabot/70 — CVE-2026-26960 / GHSA-83g3-92jg-28cx
• https://github.com/warpdotdev/pathfinder/security/dependabot/77 — CVE-2026-29786 / GHSA-qffp-2rhf-9h96
• https://github.com/warpdotdev/pathfinder/security/dependabot/78 — CVE-2026-31802 / GHSA-9ppj-qmqm-q256

Details

• tar is a transitive development dependency in examples/canvas_webgl_minimal/www/package-lock.json.
• The vulnerable copy was pulled through the old example app dependency tree (fsevents -> node-pre-gyp -> tar).
• No Dependabot update error was present for these alerts.

Verification

• npx -y npm@10.9.4 audit --json reports no tar vulnerability.
• npx -y npm@10.9.4 install --lockfile-version=1 --legacy-peer-deps succeeds.
• NODE_OPTIONS=--openssl-legacy-provider npx -y npm@10.9.4 run build reaches webpack compilation but fails because examples/canvas_webgl_minimal/pkg is not generated in the checkout, so the existing file:../pkg dependency cannot resolve.

Co-Authored-By: Oz oz-agent@warp.dev

Conversation: https://staging.warp.dev/conversation/554ae522-aab9-4842-a363-59417f5b82ae
Run: https://oz.staging.warp.dev/runs/019e7ec3-8770-74a4-b57c-f84e654f1c21
This PR was generated with Oz.