Skip to content

Resolve tmp security vulnerability#18

Merged
anumol-baby merged 2 commits intomasterfrom
dev/anu/update-tmp-package
Nov 18, 2025
Merged

Resolve tmp security vulnerability#18
anumol-baby merged 2 commits intomasterfrom
dev/anu/update-tmp-package

Conversation

@anumol-baby
Copy link
Copy Markdown

@anumol-baby anumol-baby commented Nov 18, 2025
edited
Loading

Summary

This PR resolves a security vulnerability in the `tmp` package by using npm overrides to force a patched version
https://github.com/github/Pac-tocat/security/dependabot/26

  • Vulnerability: tmp allows arbitrary temporary file/directory write via symbolic link manipulation
  • Dependency Chain: `eslint@5.16.0 → inquirer@6.5.2 → external-editor@3.1.0 → tmp@0.0.33`
  • Added npm `overrides` to force `tmp@^0.2.3` (patched version)
  • Updated tmp from 0.0.33 to 0.2.5 (secure version)
  • Removed `os-tmpdir` dependency (no longer required by tmp@0.2.5)

Additional Security Fixes

Also resolved other non-breaking vulnerabilities via `npm audit fix`:

  • `brace-expansion`: 1.1.11 → 1.1.12
  • `cross-spawn`: 6.0.5 → 6.0.6, 7.0.3 → 7.0.6
  • `js-yaml`: 3.14.1 → 3.14.2, 4.1.0 → 4.1.1
  • `micromatch`: 4.0.7 → 4.0.8
  • `path-to-regexp`: 1.8.0 → 1.9.0
  • `semver`: 5.7.1 → 5.7.2, 6.3.0 → 6.3.1
  • `word-wrap`: 1.2.3 → 1.2.5

Future Considerations
A proper ESLint upgrade can be planned separately as a future enhancement if needed

@anumol-baby anumol-baby changed the title Resolve tmp security vulnerability https://github.com/github/Pac-tocat/security/dependabot/26 Resolve tmp security vulnerability Nov 18, 2025
Copilot AI review requested due to automatic review settings November 18, 2025 19:00
Copilot AI reviewed Nov 18, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a critical security vulnerability in the tmp package (CVE relating to arbitrary file/directory write via symbolic link manipulation) by using npm's overrides feature to force all transitive dependencies to use tmp@^0.2.3 or higher. The change primarily affects the dependency chain through eslint → inquirer → external-editor → tmp, upgrading tmp from version 0.0.33 to 0.2.5. Additionally, the PR includes other non-breaking security patches via npm audit fix for packages like brace-expansion, cross-spawn, js-yaml, micromatch, path-to-regexp, semver, and word-wrap.

Key changes:

  • Added npm overrides configuration to force tmp@^0.2.3 across all dependencies
  • Updated tmp from 0.0.33 to 0.2.5 and removed the obsolete os-tmpdir dependency
  • Applied security patches to 7 additional packages via npm audit fix

Reviewed Changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Added overrides section to force tmp@^0.2.3 for all transitive dependencies
package-lock.json Updated tmp from 0.0.33 to 0.2.5, removed os-tmpdir dependency, and applied security patches to brace-expansion, cross-spawn, js-yaml, micromatch, path-to-regexp, semver, and word-wrap across both node_modules and legacy sections

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json Outdated
@anumol-baby
Update package.json
c226535 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@anumol-baby anumol-baby merged commit 9a39665 into master Nov 18, 2025
1 check failed
@anumol-baby anumol-baby deleted the dev/anu/update-tmp-package branch November 18, 2025 20:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anumol-baby