Describe the bug

It seems like #7322 was closed prematurely.

Steps to reproduce

Currently, if you initialize a new node project

mkdir my-project cd my-project npm init -y 

Then, install netlify-cli into that project

npm install -D netlify-cli 

npm warns of downstream tar-fs dependencies bound to a "risky" CVE. Because the netlify-cli turns its package-lock.json into a npm-shrinkwrap.json, a user cannot easily npm audit fix the downstream dependency in their own project. People who install netlify-cli are bound to versions 2.1.2 and 3.0.8 of tar-fs when patched versions 2.1.3 and 3.0.9 are available.

It'd be cool if we could reopen and merge #7322, so when you install netlify-cli, you get patched versions of tar-fs.

Configuration

No response

Environment

 System: OS: macOS 15.5 CPU: (10) arm64 Apple M1 Pro Memory: 120.16 MB / 32.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 22.12.0 - ~/.asdf/installs/nodejs/22.12.0/bin/node Yarn: 1.22.19 - ~/.asdf/shims/yarn npm: 10.9.0 - ~/.asdf/plugins/nodejs/shims/npm