Security Vulnerability Report
Summary
A MEDIUM severity vulnerability has been identified in the tmp package (version 0.0.33) which is a transitive dependency through @inquirer/prompts.
Details
Dependency Chain
Root Cause Analysis
The vulnerability allows an attacker to perform a symlink attack through the dir parameter, potentially leading to arbitrary file writes on the system. This occurs when the tmp package creates temporary files/directories without properly validating symbolic links.
Recommended Fix
Option 1: Upgrade @inquirer/prompts (Recommended)
Note: This is a major version upgrade and may introduce breaking changes. Please review the migration guide.
Option 2: Override the vulnerable dependency
Add to package.json:
"overrides": {
"tmp": "^0.2.4"
}
Testing After Fix
- Run
npm install to update dependencies
- Verify with
npm audit
- Run
snyk test to confirm resolution
- Execute test suite to ensure no breaking changes
Long-term Security Guidance
Additional Context
This vulnerability was discovered during a security scan on 2025-11-04. While not critical, it should be addressed to maintain security best practices.
Generated with security scanning tools
Security Vulnerability Report
Summary
A MEDIUM severity vulnerability has been identified in the
tmppackage (version 0.0.33) which is a transitive dependency through@inquirer/prompts.Details
[email protected]Dependency Chain
Root Cause Analysis
The vulnerability allows an attacker to perform a symlink attack through the
dirparameter, potentially leading to arbitrary file writes on the system. This occurs when the tmp package creates temporary files/directories without properly validating symbolic links.Recommended Fix
Option 1: Upgrade @inquirer/prompts (Recommended)
Note: This is a major version upgrade and may introduce breaking changes. Please review the migration guide.
Option 2: Override the vulnerable dependency
Add to
package.json:Testing After Fix
npm installto update dependenciesnpm auditsnyk testto confirm resolutionLong-term Security Guidance
npm auditas a pre-commit hookAdditional Context
This vulnerability was discovered during a security scan on 2025-11-04. While not critical, it should be addressed to maintain security best practices.
Generated with security scanning tools