chore: bump node-pre-gyp/node-gyp to move off vulnerable tar@6

[kazuyuki-eguchi]

What changed

• Bumped @mapbox/node-pre-gyp from ^1.0.11 to ^2.0.3
• Bumped node-gyp from ^10.0.1 to ^11.5.0
• Regenerated package-lock.json

Why

Current lockfile resolves tar@6.2.1 through install-time dependencies:

• @mapbox/node-pre-gyp@1.x -> tar@6.x
• node-gyp@10.x -> tar@6.x

This blocks remediation for recent tar advisories (including hardlink/symlink escape class issues).

After this change, lockfile resolution is on tar@7.5.9.

Verification

• npm install --package-lock-only --ignore-scripts --force
• npm audit --omit=dev --omit=optional => found 0 vulnerabilities

Compatibility / risk

@mapbox/node-pre-gyp@2.x requires Node >=18, so this may affect older Node install scenarios.
If this repo must preserve older Node install support, we should treat this as a breaking change and release accordingly.

[rzr]

Has this change been tested ?

[kazuyuki-eguchi]

Thanks for the review.

Yes, I tested this change in my fork (Node v22.17.0 / npm 11.7.0).

Commands run:

• npm install --force --ignore-scripts
• npm test
• npm ls tar --all

Results:

• npm test completed successfully (the expected “Unsupported platform” message is handled in test.js on macOS).
• tar now resolves to 7.5.9 via both:
  • @mapbox/node-pre-gyp@2.0.3
  • node-gyp@11.5.0

I have not yet run native build/install verification on Linux/Windows in this branch. I can add that if you want.