chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65)
CI / commits (pull_request) Successful in 2m48s
CI / scan (pull_request) Successful in 2m49s
CI / a11y (pull_request) Successful in 2m10s
CI / check (pull_request) Successful in 5m30s
Docs site / build (pull_request) Successful in 2m52s
CI / perf (pull_request) Successful in 5m55s

Bump the existing pnpm override for tmp from >=0.2.4 to >=0.2.6 to
cover GHSA-ph9p-34f9-6g65, a path-traversal vulnerability via
unsanitized prefix/postfix in tmp <0.2.6. Surfaced by pnpm ci:audit.

Both consuming paths in the tree (nx and @lhci/cli) still depend on
tmp <0.2.6 at their latest releases, so an upstream upgrade is not
an option. Same override pattern that was already in place for the
prior tmp advisory, with the lower bound widened.

Side effect of pnpm install: @scalar/nestjs-api-reference bumped
1.1.16 -> 1.1.19, both within the existing ^1.1.14 range. Natural
transitive resolution, not a deliberate change.

Risk: patch bump on a tiny library with a stable API; the 0.2.5 and
0.2.6 releases are sanitization-only fixes.
This commit is contained in:
Julien Gautier
2026-05-27 17:26:54 +02:00
parent 3191040bbc
commit eb6aa6e8bb
2 changed files with 8 additions and 14 deletions
+7 -13
View File
@@ -12,7 +12,7 @@ overrides:
follow-redirects@<1.16.0: '>=1.16.0'
ip-address@<10.1.1: '>=10.1.1'
protobufjs@<8.0.2: '>=8.0.2'
tmp@<0.2.4: '>=0.2.4'
tmp@<0.2.6: '>=0.2.6'
uuid@<11.1.1: '>=11.1.1'
vitepress>vite: '>=6.4.2 <7'
ws@>=8.0.0 <8.20.1: '>=8.20.1'
@@ -10500,12 +10500,8 @@ packages:
resolution: {integrity: sha512-ELrFxuqsDdHUwoh0XxDbxuLD3Wnz49Z57IFvTtvWy1hJdcMZjXLIuonjilCiWHlT2GbE4Wlv1wKVTzDFnXH1aw==}
hasBin: true
tmp@0.2.4:
resolution: {integrity: sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==}
engines: {node: '>=14.14'}
tmp@0.2.5:
resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==}
tmp@0.2.6:
resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==}
engines: {node: '>=14.14'}
tmpl@1.0.5:
@@ -13721,7 +13717,7 @@ snapshots:
lighthouse-logger: 1.2.0
open: 7.4.2
proxy-agent: 6.5.0
tmp: 0.2.5
tmp: 0.2.6
uuid: 14.0.0
yargs: 15.4.1
yargs-parser: 13.1.2
@@ -18971,7 +18967,7 @@ snapshots:
dependencies:
chardet: 0.7.0
iconv-lite: 0.4.24
tmp: 0.2.5
tmp: 0.2.6
extract-zip@2.0.1:
dependencies:
@@ -21105,7 +21101,7 @@ snapshots:
strip-bom: 3.0.0
supports-color: 7.2.0
tar-stream: 2.2.0
tmp: 0.2.4
tmp: 0.2.6
tree-kill: 1.2.2
tsconfig-paths: 4.2.0
tslib: 2.8.1
@@ -22962,9 +22958,7 @@ snapshots:
dependencies:
tldts-core: 7.0.30
tmp@0.2.4: {}
tmp@0.2.5: {}
tmp@0.2.6: {}
tmpl@1.0.5: {}