chore(deps): clear high-severity audit findings (tmp override)

[raifdmueller]

Problem

npm audit --audit-level=high (the Dependency Security Audit CI job) fails on four high-severity transitive dependencies of @lhci/cli, all tracing to tmp <0.2.6:

• tmp → external-editor → inquirer → @lhci/cli

The existing overrides already pinned tmp >=0.2.4, but the advisory (GHSA for tmp arbitrary file/dir write) covers tmp <0.2.6, so 0.2.4/0.2.5 were still resolved and still vulnerable.

Fix

Raise the override to tmp >=0.2.6. This resolves tmp to 0.2.7 and clears all four high findings. npm audit --audit-level=high now exits 0.

npm's own remediation (npm audit fix --force) would downgrade @lhci/cli to 0.1.0 — a SemVer-major regression that would break Lighthouse CI. The override avoids that.

Scope

Only package.json (override bump) and package-lock.json (tmp 0.2.5 → 0.2.7). 7 moderate findings remain; these are below the --audit-level=high gate and out of scope for this PR.

Test

npm test — all 90 unit tests pass.

🤖 Generated with Claude Code

Summary by CodeRabbit

Versionshinweise

• Chores
  • Abhängigkeit aktualisiert.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: ddbd2299-97be-4261-999a-4e62e008c10d

📥 Commits

Reviewing files that changed from the base of the PR and between bd1a8a4 and 8c01433.

⛔ Files ignored due to path filters (1)

• website/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• website/package.json

---

Walkthrough

Die Pull Request erhöht die Mindestversion des tmp-Pakets in der overrides-Konfiguration von website/package.json von >=0.2.4 auf >=0.2.6. Dies zwingt npm-Abhängigkeitsauflösungen, eine neuere Version des Pakets zu verwenden.

Changes

Abhängigkeitsverwaltung

Layer / File(s)	Zusammenfassung
tmp-Versionsanforderung aktualisieren website/package.json	Die overrides-Konfiguration für das tmp-Paket wird von >=0.2.4 auf >=0.2.6 erhöht, um eine neuere Mindestversion zu erzwingen.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	Der Titel beschreibt präzise die Hauptänderung: Erhöhung des tmp-Override zur Behebung von Security-Audits.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}