From e2894afc4a6e5015774ff6fc6e7638ea0f06995c Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Wed, 27 May 2026 17:29:41 +0200 Subject: [PATCH] chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65) (#240) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Summary Bump the existing `tmp` security override from `>=0.2.4` to `>=0.2.6` to cover [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — a path-traversal vulnerability via unsanitized prefix/postfix in `tmp@<0.2.6`. Surfaced by `pnpm ci:audit` on the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this. ## Why this isn't an upstream upgrade `tmp` is a transitive dependency. The two consuming paths today: | Path | Latest available | | --- | --- | | `.>nx>tmp` | `nx@22.7.4` still declares `tmp@^0.2.4` | | `.>@lhci/cli>tmp` | `@lhci/cli@0.15.1` (latest) still declares `tmp@^0.1.0` | Upgrading `nx` or `@lhci/cli` does not move `tmp` to 0.2.6. The pre-existing `pnpm.overrides` entry was already pinning `tmp@<0.2.4` → `>=0.2.4` against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line. ## What lands | File | Change | | --- | --- | | `package.json` | `"tmp@<0.2.4": ">=0.2.4"` → `"tmp@<0.2.6": ">=0.2.6"` (one line). | | `pnpm-lock.yaml` | `tmp@0.2.4` → `tmp@0.2.6` resolved; `@scalar/nestjs-api-reference@1.1.16 → 1.1.19` picked up as a natural transitive resolution during `pnpm install` (no semver-major, both are within the existing `^1.1.14` range and match Renovate's "patch + auto-merge" policy). | ## Risk Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible. ## Test plan - [x] `pnpm audit --audit-level=moderate` returns `No known vulnerabilities found` (exit 0). - [x] `pnpm why tmp` shows `tmp@0.2.6` as the single resolved version (no duplicate). - [ ] CI green on Gitea (`check` + `scan` jobs). - [ ] Once merged, rebase `ci/gitlab-pipeline-phase2` on top and retry the GitLab `audit` job — expected green. ## Related - [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — the advisory. - Unblocks [ADR-0028](../docs/decisions/0028-migrate-cicd-and-git-hosting-to-gitlab.md) Phase 2 pipeline parity validation (see `ci/gitlab-pipeline-phase2` branch). --------- Co-authored-by: Julien Gautier Reviewed-on: https://git.unespace.com/julien/apf_portal/pulls/240 --- package.json | 2 +- pnpm-lock.yaml | 20 +++++++------------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index 42c1c0c..7399e00 100644 --- a/package.json +++ b/package.json @@ -49,7 +49,7 @@ "follow-redirects@<1.16.0": ">=1.16.0", "ip-address@<10.1.1": ">=10.1.1", "protobufjs@<8.0.2": ">=8.0.2", - "tmp@<0.2.4": ">=0.2.4", + "tmp@<0.2.6": ">=0.2.6", "uuid@<11.1.1": ">=11.1.1", "vitepress>vite": ">=6.4.2 <7", "ws@>=8.0.0 <8.20.1": ">=8.20.1", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7cddb41..09f62e7 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -12,7 +12,7 @@ overrides: follow-redirects@<1.16.0: '>=1.16.0' ip-address@<10.1.1: '>=10.1.1' protobufjs@<8.0.2: '>=8.0.2' - tmp@<0.2.4: '>=0.2.4' + tmp@<0.2.6: '>=0.2.6' uuid@<11.1.1: '>=11.1.1' vitepress>vite: '>=6.4.2 <7' ws@>=8.0.0 <8.20.1: '>=8.20.1' @@ -10500,12 +10500,8 @@ packages: resolution: {integrity: sha512-ELrFxuqsDdHUwoh0XxDbxuLD3Wnz49Z57IFvTtvWy1hJdcMZjXLIuonjilCiWHlT2GbE4Wlv1wKVTzDFnXH1aw==} hasBin: true - tmp@0.2.4: - resolution: {integrity: sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==} - engines: {node: '>=14.14'} - - tmp@0.2.5: - resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==} + tmp@0.2.6: + resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==} engines: {node: '>=14.14'} tmpl@1.0.5: @@ -13721,7 +13717,7 @@ snapshots: lighthouse-logger: 1.2.0 open: 7.4.2 proxy-agent: 6.5.0 - tmp: 0.2.5 + tmp: 0.2.6 uuid: 14.0.0 yargs: 15.4.1 yargs-parser: 13.1.2 @@ -18971,7 +18967,7 @@ snapshots: dependencies: chardet: 0.7.0 iconv-lite: 0.4.24 - tmp: 0.2.5 + tmp: 0.2.6 extract-zip@2.0.1: dependencies: @@ -21105,7 +21101,7 @@ snapshots: strip-bom: 3.0.0 supports-color: 7.2.0 tar-stream: 2.2.0 - tmp: 0.2.4 + tmp: 0.2.6 tree-kill: 1.2.2 tsconfig-paths: 4.2.0 tslib: 2.8.1 @@ -22962,9 +22958,7 @@ snapshots: dependencies: tldts-core: 7.0.30 - tmp@0.2.4: {} - - tmp@0.2.5: {} + tmp@0.2.6: {} tmpl@1.0.5: {}