chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65) #240

Merged
julien merged 1 commits from chore/bump-tmp-override-ghsa-ph9p-34f9-6g65 into main 2026-05-27 17:29:42 +02:00

1 Commits

Author SHA1 Message Date
Julien Gautier eb6aa6e8bb chore(deps): bump tmp override to >=0.2.6 (GHSA-ph9p-34f9-6g65)
CI / commits (pull_request) Successful in 2m48s
CI / scan (pull_request) Successful in 2m49s
CI / a11y (pull_request) Successful in 2m10s
CI / check (pull_request) Successful in 5m30s
Docs site / build (pull_request) Successful in 2m52s
CI / perf (pull_request) Successful in 5m55s
Bump the existing pnpm override for tmp from >=0.2.4 to >=0.2.6 to
cover GHSA-ph9p-34f9-6g65, a path-traversal vulnerability via
unsanitized prefix/postfix in tmp <0.2.6. Surfaced by pnpm ci:audit.

Both consuming paths in the tree (nx and @lhci/cli) still depend on
tmp <0.2.6 at their latest releases, so an upstream upgrade is not
an option. Same override pattern that was already in place for the
prior tmp advisory, with the lower bound widened.

Side effect of pnpm install: @scalar/nestjs-api-reference bumped
1.1.16 -> 1.1.19, both within the existing ^1.1.14 range. Natural
transitive resolution, not a deliberate change.

Risk: patch bump on a tiny library with a stable API; the 0.2.5 and
0.2.6 releases are sanitization-only fixes.
2026-05-27 17:26:54 +02:00