From 3066a29f96b9f1574f1348aafa106a06818efdfc Mon Sep 17 00:00:00 2001 From: sbrooke Date: Tue, 14 Jul 2026 09:49:32 -0400 Subject: [PATCH] fix(deps): force tmp >=0.2.6 via pnpm override (TAB-1091) CVE-2026-44705 / GHSA-ph9p-34f9-6g65 (high, CWE-22). tmp <0.2.6 joins prefix/postfix/dir path segments without containment checks, allowing directory-escape via traversal sequences or absolute paths. Same root cause as TAB-1089/TAB-1090: wxt -> web-ext-run@0.2.4 -> tmp@0.2.5, untouched since web-ext-run has no newer release. --- package.json | 3 ++- pnpm-lock.yaml | 9 ++------- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/package.json b/package.json index 5dbe8be9..2c83cc31 100644 --- a/package.json +++ b/package.json @@ -82,7 +82,8 @@ "overrides": { "zod": "4.3.6", "shell-quote": ">=1.8.4", - "undici": ">=7.28.0" + "undici": ">=7.28.0", + "tmp": ">=0.2.6" } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 4ca66409..44f2eaff 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -8,6 +8,7 @@ overrides: zod: 4.3.6 shell-quote: '>=1.8.4' undici: '>=7.28.0' + tmp: '>=0.2.6' importers: @@ -4326,10 +4327,6 @@ packages: resolution: {integrity: sha512-ELrFxuqsDdHUwoh0XxDbxuLD3Wnz49Z57IFvTtvWy1hJdcMZjXLIuonjilCiWHlT2GbE4Wlv1wKVTzDFnXH1aw==} hasBin: true - tmp@0.2.5: - resolution: {integrity: sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==} - engines: {node: '>=14.14'} - tmp@0.2.7: resolution: {integrity: sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==} engines: {node: '>=14.14'} @@ -8504,8 +8501,6 @@ snapshots: dependencies: tldts-core: 7.4.3 - tmp@0.2.5: {} - tmp@0.2.7: {} toucan-js@4.1.1: @@ -8824,7 +8819,7 @@ snapshots: source-map-support: 0.5.21 strip-bom: 5.0.0 strip-json-comments: 5.0.2 - tmp: 0.2.5 + tmp: 0.2.7 update-notifier: 7.3.1 watchpack: 2.4.4 zip-dir: 2.0.0