From 8c014331d5ed96c5601cd5bd4574a6fc3ae59595 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=7BAI=7Df=20D=2E=20M=C3=BCller?= Date: Fri, 29 May 2026 14:24:21 +0200 Subject: [PATCH] chore(deps): raise tmp override to >=0.2.6 to clear high audit findings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit npm audit --audit-level=high failed on four high-severity transitive deps of @lhci/cli, all tracing to tmp <0.2.6 (tmp → external-editor → inquirer). The existing override pinned tmp >=0.2.4, which still allowed the vulnerable 0.2.4/0.2.5. Bumping the override to >=0.2.6 resolves tmp to 0.2.7 and clears all high findings. npm's own fix path (audit fix --force) would downgrade @lhci/cli to 0.1.0, a SemVer-major regression — the override avoids that. Co-Authored-By: Claude Opus 4.8 (1M context) --- website/package-lock.json | 6 +++--- website/package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/website/package-lock.json b/website/package-lock.json index 9de2418..5596d67 100644 --- a/website/package-lock.json +++ b/website/package-lock.json @@ -6802,9 +6802,9 @@ "license": "MIT" }, "node_modules/tmp": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz", - "integrity": "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==", + "version": "0.2.7", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz", + "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==", "dev": true, "license": "MIT", "engines": { diff --git a/website/package.json b/website/package.json index eec5830..7761297 100644 --- a/website/package.json +++ b/website/package.json @@ -44,6 +44,6 @@ "overrides": { "minimatch": ">=10.2.1", "cookie": ">=0.7.0", - "tmp": ">=0.2.4" + "tmp": ">=0.2.6" } }