chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65) (#240)
## Summary Bump the existing `tmp` security override from `>=0.2.4` to `>=0.2.6` to cover [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — a path-traversal vulnerability via unsanitized prefix/postfix in `tmp@<0.2.6`. Surfaced by `pnpm ci:audit` on the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this. ## Why this isn't an upstream upgrade `tmp` is a transitive dependency. The two consuming paths today: | Path | Latest available | | --- | --- | | `.>nx>tmp` | `nx@22.7.4` still declares `tmp@^0.2.4` | | `.>@lhci/cli>tmp` | `@lhci/cli@0.15.1` (latest) still declares `tmp@^0.1.0` | Upgrading `nx` or `@lhci/cli` does not move `tmp` to 0.2.6. The pre-existing `pnpm.overrides` entry was already pinning `tmp@<0.2.4` → `>=0.2.4` against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line. ## What lands | File | Change | | --- | --- | | `package.json` | `"tmp@<0.2.4": ">=0.2.4"` → `"tmp@<0.2.6": ">=0.2.6"` (one line). | | `pnpm-lock.yaml` | `tmp@0.2.4` → `tmp@0.2.6` resolved; `@scalar/nestjs-api-reference@1.1.16 → 1.1.19` picked up as a natural transitive resolution during `pnpm install` (no semver-major, both are within the existing `^1.1.14` range and match Renovate's "patch + auto-merge" policy). | ## Risk Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible. ## Test plan - [x] `pnpm audit --audit-level=moderate` returns `No known vulnerabilities found` (exit 0). - [x] `pnpm why tmp` shows `tmp@0.2.6` as the single resolved version (no duplicate). - [ ] CI green on Gitea (`check` + `scan` jobs). - [ ] Once merged, rebase `ci/gitlab-pipeline-phase2` on top and retry the GitLab `audit` job — expected green. ## Related - [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — the advisory. - Unblocks [ADR-0028](../docs/decisions/0028-migrate-cicd-and-git-hosting-to-gitlab.md) Phase 2 pipeline parity validation (see `ci/gitlab-pipeline-phase2` branch). --------- Co-authored-by: Julien Gautier <julien.gautier@apf.asso.fr> Reviewed-on: #240
This commit was merged in pull request #240.
This commit is contained in:
+1
-1
@@ -49,7 +49,7 @@
|
||||
"follow-redirects@<1.16.0": ">=1.16.0",
|
||||
"ip-address@<10.1.1": ">=10.1.1",
|
||||
"protobufjs@<8.0.2": ">=8.0.2",
|
||||
"tmp@<0.2.4": ">=0.2.4",
|
||||
"tmp@<0.2.6": ">=0.2.6",
|
||||
"uuid@<11.1.1": ">=11.1.1",
|
||||
"vitepress>vite": ">=6.4.2 <7",
|
||||
"ws@>=8.0.0 <8.20.1": ">=8.20.1",
|
||||
|
||||
Generated
+7
-13
@@ -12,7 +12,7 @@ overrides:
|
||||
follow-redirects@<1.16.0: '>=1.16.0'
|
||||
ip-address@<10.1.1: '>=10.1.1'
|
||||
protobufjs@<8.0.2: '>=8.0.2'
|
||||
tmp@<0.2.4: '>=0.2.4'
|
||||
tmp@<0.2.6: '>=0.2.6'
|
||||
uuid@<11.1.1: '>=11.1.1'
|
||||
vitepress>vite: '>=6.4.2 <7'
|
||||
ws@>=8.0.0 <8.20.1: '>=8.20.1'
|
||||
@@ -10500,12 +10500,8 @@ packages:
|
||||
resolution: {integrity: sha512-ELrFxuqsDdHUwoh0XxDbxuLD3Wnz49Z57IFvTtvWy1hJdcMZjXLIuonjilCiWHlT2GbE4Wlv1wKVTzDFnXH1aw==}
|
||||
hasBin: true
|
||||
|
||||
tmp@0.2.4:
|
||||
resolution: {integrity: sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==}
|
||||
engines: {node: '>=14.14'}
|
||||
|
||||
tmp@0.2.5:
|
||||
resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==}
|
||||
tmp@0.2.6:
|
||||
resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==}
|
||||
engines: {node: '>=14.14'}
|
||||
|
||||
tmpl@1.0.5:
|
||||
@@ -13721,7 +13717,7 @@ snapshots:
|
||||
lighthouse-logger: 1.2.0
|
||||
open: 7.4.2
|
||||
proxy-agent: 6.5.0
|
||||
tmp: 0.2.5
|
||||
tmp: 0.2.6
|
||||
uuid: 14.0.0
|
||||
yargs: 15.4.1
|
||||
yargs-parser: 13.1.2
|
||||
@@ -18971,7 +18967,7 @@ snapshots:
|
||||
dependencies:
|
||||
chardet: 0.7.0
|
||||
iconv-lite: 0.4.24
|
||||
tmp: 0.2.5
|
||||
tmp: 0.2.6
|
||||
|
||||
extract-zip@2.0.1:
|
||||
dependencies:
|
||||
@@ -21105,7 +21101,7 @@ snapshots:
|
||||
strip-bom: 3.0.0
|
||||
supports-color: 7.2.0
|
||||
tar-stream: 2.2.0
|
||||
tmp: 0.2.4
|
||||
tmp: 0.2.6
|
||||
tree-kill: 1.2.2
|
||||
tsconfig-paths: 4.2.0
|
||||
tslib: 2.8.1
|
||||
@@ -22962,9 +22958,7 @@ snapshots:
|
||||
dependencies:
|
||||
tldts-core: 7.0.30
|
||||
|
||||
tmp@0.2.4: {}
|
||||
|
||||
tmp@0.2.5: {}
|
||||
tmp@0.2.6: {}
|
||||
|
||||
tmpl@1.0.5: {}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user