From eb6aa6e8bb18b4fbcd27aed0b6b337caedb17c9e Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Wed, 27 May 2026 17:26:54 +0200 Subject: [PATCH] chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65) Bump the existing pnpm override for tmp from >=0.2.4 to >=0.2.6 to cover GHSA-ph9p-34f9-6g65, a path-traversal vulnerability via unsanitized prefix/postfix in tmp <0.2.6. Surfaced by pnpm ci:audit. Both consuming paths in the tree (nx and @lhci/cli) still depend on tmp <0.2.6 at their latest releases, so an upstream upgrade is not an option. Same override pattern that was already in place for the prior tmp advisory, with the lower bound widened. Side effect of pnpm install: @scalar/nestjs-api-reference bumped 1.1.16 -> 1.1.19, both within the existing ^1.1.14 range. Natural transitive resolution, not a deliberate change. Risk: patch bump on a tiny library with a stable API; the 0.2.5 and 0.2.6 releases are sanitization-only fixes. --- package.json | 2 +- pnpm-lock.yaml | 20 +++++++------------- 2 files changed, 8 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index 42c1c0c..7399e00 100644 --- a/package.json +++ b/package.json @@ -49,7 +49,7 @@ "follow-redirects@<1.16.0": ">=1.16.0", "ip-address@<10.1.1": ">=10.1.1", "protobufjs@<8.0.2": ">=8.0.2", - "tmp@<0.2.4": ">=0.2.4", + "tmp@<0.2.6": ">=0.2.6", "uuid@<11.1.1": ">=11.1.1", "vitepress>vite": ">=6.4.2 <7", "ws@>=8.0.0 <8.20.1": ">=8.20.1", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 7cddb41..09f62e7 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -12,7 +12,7 @@ overrides: follow-redirects@<1.16.0: '>=1.16.0' ip-address@<10.1.1: '>=10.1.1' protobufjs@<8.0.2: '>=8.0.2' - tmp@<0.2.4: '>=0.2.4' + tmp@<0.2.6: '>=0.2.6' uuid@<11.1.1: '>=11.1.1' vitepress>vite: '>=6.4.2 <7' ws@>=8.0.0 <8.20.1: '>=8.20.1' @@ -10500,12 +10500,8 @@ packages: resolution: {integrity: sha512-ELrFxuqsDdHUwoh0XxDbxuLD3Wnz49Z57IFvTtvWy1hJdcMZjXLIuonjilCiWHlT2GbE4Wlv1wKVTzDFnXH1aw==} hasBin: true - tmp@0.2.4: - resolution: {integrity: sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==} - engines: {node: '>=14.14'} - - tmp@0.2.5: - resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==} + tmp@0.2.6: + resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==} engines: {node: '>=14.14'} tmpl@1.0.5: @@ -13721,7 +13717,7 @@ snapshots: lighthouse-logger: 1.2.0 open: 7.4.2 proxy-agent: 6.5.0 - tmp: 0.2.5 + tmp: 0.2.6 uuid: 14.0.0 yargs: 15.4.1 yargs-parser: 13.1.2 @@ -18971,7 +18967,7 @@ snapshots: dependencies: chardet: 0.7.0 iconv-lite: 0.4.24 - tmp: 0.2.5 + tmp: 0.2.6 extract-zip@2.0.1: dependencies: @@ -21105,7 +21101,7 @@ snapshots: strip-bom: 3.0.0 supports-color: 7.2.0 tar-stream: 2.2.0 - tmp: 0.2.4 + tmp: 0.2.6 tree-kill: 1.2.2 tsconfig-paths: 4.2.0 tslib: 2.8.1 @@ -22962,9 +22958,7 @@ snapshots: dependencies: tldts-core: 7.0.30 - tmp@0.2.4: {} - - tmp@0.2.5: {} + tmp@0.2.6: {} tmpl@1.0.5: {}