chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65) #240

Merged
julien merged 1 commits from chore/bump-tmp-override-ghsa-ph9p-34f9-6g65 into main 2026-05-27 17:29:42 +02:00
Owner

Summary

Bump the existing tmp security override from >=0.2.4 to >=0.2.6 to cover GHSA-ph9p-34f9-6g65 — a path-traversal vulnerability via unsanitized prefix/postfix in tmp@<0.2.6. Surfaced by pnpm ci:audit on the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this.

Why this isn't an upstream upgrade

tmp is a transitive dependency. The two consuming paths today:

Path Latest available
.>nx>tmp nx@22.7.4 still declares tmp@^0.2.4
.>@lhci/cli>tmp @lhci/cli@0.15.1 (latest) still declares tmp@^0.1.0

Upgrading nx or @lhci/cli does not move tmp to 0.2.6. The pre-existing pnpm.overrides entry was already pinning tmp@<0.2.4>=0.2.4 against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line.

What lands

File Change
package.json "tmp@<0.2.4": ">=0.2.4""tmp@<0.2.6": ">=0.2.6" (one line).
pnpm-lock.yaml tmp@0.2.4tmp@0.2.6 resolved; @scalar/nestjs-api-reference@1.1.16 → 1.1.19 picked up as a natural transitive resolution during pnpm install (no semver-major, both are within the existing ^1.1.14 range and match Renovate's "patch + auto-merge" policy).

Risk

Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible.

Test plan

  • pnpm audit --audit-level=moderate returns No known vulnerabilities found (exit 0).
  • pnpm why tmp shows tmp@0.2.6 as the single resolved version (no duplicate).
  • CI green on Gitea (check + scan jobs).
  • Once merged, rebase ci/gitlab-pipeline-phase2 on top and retry the GitLab audit job — expected green.

Related

## Summary Bump the existing `tmp` security override from `>=0.2.4` to `>=0.2.6` to cover [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — a path-traversal vulnerability via unsanitized prefix/postfix in `tmp@<0.2.6`. Surfaced by `pnpm ci:audit` on the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this. ## Why this isn't an upstream upgrade `tmp` is a transitive dependency. The two consuming paths today: | Path | Latest available | | --- | --- | | `.>nx>tmp` | `nx@22.7.4` still declares `tmp@^0.2.4` | | `.>@lhci/cli>tmp` | `@lhci/cli@0.15.1` (latest) still declares `tmp@^0.1.0` | Upgrading `nx` or `@lhci/cli` does not move `tmp` to 0.2.6. The pre-existing `pnpm.overrides` entry was already pinning `tmp@<0.2.4` → `>=0.2.4` against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line. ## What lands | File | Change | | --- | --- | | `package.json` | `"tmp@<0.2.4": ">=0.2.4"` → `"tmp@<0.2.6": ">=0.2.6"` (one line). | | `pnpm-lock.yaml` | `tmp@0.2.4` → `tmp@0.2.6` resolved; `@scalar/nestjs-api-reference@1.1.16 → 1.1.19` picked up as a natural transitive resolution during `pnpm install` (no semver-major, both are within the existing `^1.1.14` range and match Renovate's "patch + auto-merge" policy). | ## Risk Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible. ## Test plan - [x] `pnpm audit --audit-level=moderate` returns `No known vulnerabilities found` (exit 0). - [x] `pnpm why tmp` shows `tmp@0.2.6` as the single resolved version (no duplicate). - [ ] CI green on Gitea (`check` + `scan` jobs). - [ ] Once merged, rebase `ci/gitlab-pipeline-phase2` on top and retry the GitLab `audit` job — expected green. ## Related - [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) — the advisory. - Unblocks [ADR-0028](../docs/decisions/0028-migrate-cicd-and-git-hosting-to-gitlab.md) Phase 2 pipeline parity validation (see `ci/gitlab-pipeline-phase2` branch).
julien added 1 commit 2026-05-27 17:29:30 +02:00
chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65)
CI / commits (pull_request) Successful in 2m48s
CI / scan (pull_request) Successful in 2m49s
CI / a11y (pull_request) Successful in 2m10s
CI / check (pull_request) Successful in 5m30s
Docs site / build (pull_request) Successful in 2m52s
CI / perf (pull_request) Successful in 5m55s
eb6aa6e8bb
Bump the existing pnpm override for tmp from >=0.2.4 to >=0.2.6 to
cover GHSA-ph9p-34f9-6g65, a path-traversal vulnerability via
unsanitized prefix/postfix in tmp <0.2.6. Surfaced by pnpm ci:audit.

Both consuming paths in the tree (nx and @lhci/cli) still depend on
tmp <0.2.6 at their latest releases, so an upstream upgrade is not
an option. Same override pattern that was already in place for the
prior tmp advisory, with the lower bound widened.

Side effect of pnpm install: @scalar/nestjs-api-reference bumped
1.1.16 -> 1.1.19, both within the existing ^1.1.14 range. Natural
transitive resolution, not a deliberate change.

Risk: patch bump on a tiny library with a stable API; the 0.2.5 and
0.2.6 releases are sanitization-only fixes.
julien merged commit e2894afc4a into main 2026-05-27 17:29:42 +02:00
julien deleted branch chore/bump-tmp-override-ghsa-ph9p-34f9-6g65 2026-05-27 17:29:45 +02:00
Sign in to join this conversation.
No Reviewers
No Label
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: julien/apf_portal#240