GitHub tackles severe vulnerabilities in Node.js packages

Bugs impacting tar and @npmcli/arborist were reported through a bug bounty program.