ci(gitlab): land .gitlab-ci.yml alongside gitea workflow (ADR-0028 phase 2) #241
Reference in New Issue
Block a user
Delete Branch "ci/gitlab-pipeline-phase2"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Bump the existing
tmpsecurity override from>=0.2.4to>=0.2.6to cover GHSA-ph9p-34f9-6g65 — a path-traversal vulnerability via unsanitized prefix/postfix intmp@<0.2.6. Surfaced bypnpm ci:auditon the next CI run; both Gitea and the in-flight GitLab Phase 2 pipeline fail without this.Why this isn't an upstream upgrade
tmpis a transitive dependency. The two consuming paths today:.>nx>tmpnx@22.7.4still declarestmp@^0.2.4.>@lhci/cli>tmp@lhci/cli@0.15.1(latest) still declarestmp@^0.1.0Upgrading
nxor@lhci/clidoes not movetmpto 0.2.6. The pre-existingpnpm.overridesentry was already pinningtmp@<0.2.4→>=0.2.4against the prior advisory; this PR just widens the lower bound to match the new one. Same pattern, one line.What lands
package.json"tmp@<0.2.4": ">=0.2.4"→"tmp@<0.2.6": ">=0.2.6"(one line).pnpm-lock.yamltmp@0.2.4→tmp@0.2.6resolved;@scalar/nestjs-api-reference@1.1.16 → 1.1.19picked up as a natural transitive resolution duringpnpm install(no semver-major, both are within the existing^1.1.14range and match Renovate's "patch + auto-merge" policy).Risk
Patch bump (0.2.4 → 0.2.6) on a tiny library with a stable public API since v0.2.0. The release notes for 0.2.5 and 0.2.6 are sanitization-only fixes — no API surface change. Risk of regression in nx / lhci consumers: negligible.
Test plan
pnpm audit --audit-level=moderatereturnsNo known vulnerabilities found(exit 0).pnpm why tmpshowstmp@0.2.6as the single resolved version (no duplicate).check+scanjobs).ci/gitlab-pipeline-phase2on top and retry the GitLabauditjob — expected green.Related
ci/gitlab-pipeline-phase2branch).