Skip to content

Pin tmp dependency version to ^0.2.5 (CVE) #1383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 14, 2025
Merged

Pin tmp dependency version to ^0.2.5 (CVE) #1383

merged 1 commit into from
Nov 14, 2025

Conversation

@orbeji
Copy link
Contributor

@orbeji orbeji commented Nov 13, 2025

Bumps tmp to 0.2.5

@carsonbot carsonbot added the Status: Needs Review Needs to be reviewed label Nov 13, 2025
Kocal
Kocal requested changes Nov 14, 2025
View reviewed changes
Copy link
Member

@Kocal Kocal left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, and thanks for your contribution!

Usually, such a minor upgrade has no effects. Since we use an open constraint version ^0.2.1, it means you already upgrade to tmp@0.2.5 in your project.

However, I see that the package reduced a lot between these versions https://bundlephobia.com/package/tmp@0.2.5, surely because 0.2.1 has many dependencies where 0.2.5 has not.

Anyway, I'm not sure to understand why the lockfile changed so much, could you revert everything except the tmp update?

Thanks!

@carsonbot carsonbot added Status: Needs Work Additional work is needed Status: Needs Review Needs to be reviewed and removed Status: Needs Review Needs to be reviewed Status: Needs Work Additional work is needed labels Nov 14, 2025
@orbeji
Copy link
Contributor Author

orbeji commented Nov 14, 2025

Hi,
Sorry, for the messed update I reverted the changes and only updated the tmp package.
I did it to avoid installing the 0.2.3 version and below which have some CVE
Thanks

@Kocal Kocal changed the title update tmp to 0.2.5 Pin tmp dependency version to ^0.2.5 (CVE) Nov 14, 2025
@Kocal Kocal force-pushed the update_tmp_package branch from 7dd9e19 to 7308e34 Compare November 14, 2025 22:35
@Kocal
Copy link
Member

Kocal commented Nov 14, 2025

Thank you @orbeji.

@Kocal Kocal merged commit 502acd6 into symfony:main Nov 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kocal Kocal Kocal requested changes

Assignees

No one assigned

Labels

Status: Needs Review Needs to be reviewed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@orbeji @Kocal @carsonbot