fix: remove "tmp" dependency

Trivial security issue

Signed-off-by: Gordon Smith <GordonJSmith@gmail.com>

Author: GordonSmith

.github/workflows/release-please.yml

@@ -21,70 +21,48 @@ jobs:
     steps:
       - name: Initialize Release Please
         id: release
-        if: ${{ github.event_name == 'push' }}
         uses: googleapis/release-please-action@v4
         with:
           target-branch: ${{ github.ref_name }}
           config-file: release-please-config.json
           manifest-file: .release-please-manifest.json
 
       - name: Checkout Sources
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         uses: actions/checkout@v4
 
       - name: Install NodeJS
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         uses: actions/setup-node@v6
         with:
           node-version: 22
           registry-url: "https://registry.npmjs.org"
           scope: "@hpcc-js"
 
-      - name: Install OS Dependencies
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
-        run: |
-          pip install pandas scikit-learn
-
-      - name: Export GitHub Actions cache environment variables
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
-        uses: actions/github-script@v7
-        with:
-          script: |
-            core.exportVariable('ACTIONS_CACHE_URL', process.env.ACTIONS_CACHE_URL || '');
-            core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
-
       - name: Install Dependencies
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         run: |
           npm ci
 
       - name: Lint
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         run: |
           npm run lint
 
       - name: Build
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         run: |
           npm run build
 
       - name: Install Test Dependencies
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         run: |
           sudo apt-get update
           sudo npx -y playwright install chromium --with-deps
           npx -y playwright install chromium
           wget https://github.com/hpcc-systems/HPCC-Platform/releases/download/community_9.6.50-1/hpccsystems-platform-community_9.6.50-1jammy_amd64_withsymbols.deb
 
       - name: Install HPCC Platform
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         continue-on-error: true
         run: |
           sudo apt install -f ./hpccsystems-platform-community_9.6.50-1jammy_amd64_withsymbols.deb
           sudo /etc/init.d/hpcc-init start
 
       - name: Test
-        if: ${{ github.event_name == 'pull_request' || steps.release.outputs.release_created }}
         env:
           CI: true
         run: |
@@ -94,17 +72,6 @@ jobs:
           npm run test-node-esm
           npm run test-node-cjs
 
-      # - name: Calculate Coverage
-      #   if: ${{ steps.release.outputs.release_created }}
-      #   run: |
-      #     npm run coverage
-
-      # - name: Update Coveralls
-      #   if: ${{ steps.release.outputs.release_created }}
-      #   uses: coverallsapp/github-action@v2
-      #   with:
-      #     github-token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: push stamped release
         if: ${{ steps.release.outputs.release_created }}
         run: |
@@ -121,11 +88,6 @@ jobs:
         run: |
           npm run publish
 
-      # - name: Purge jsdelivr
-      #   if: ${{ steps.release.outputs.release_created }}
-      #   run: |
-      #     npm run purge-jsdelivr
-
       - name: Upload error logs
         if: ${{ failure() || cancelled() }}
         uses: actions/upload-artifact@v4

package-lock.json

@@ -78,7 +78,6 @@
         "@xmldom/xmldom": "0.9.8",
         "abort-controller": "3.0.0",
         "node-fetch": "3.3.2",
-        "tmp": "0.2.5",
         "undici": "7.16.0"
     },
     "devDependencies": {

packages/comms/package.json

@@ -1,8 +1,8 @@
 import * as cp from "node:child_process";
+import * as crypto from "node:crypto";
 import * as fs from "node:fs";
 import * as os from "node:os";
 import * as path from "node:path";
-import * as tmp from "tmp";
 
 import { exists, scopedLogger, xml2json, XMLNode } from "@hpcc-js/util";
 import { attachWorkspace, Workspace } from "./eclMeta.ts";
@@ -360,7 +360,7 @@ export class ClientTools {
     }
 
     createWU(filename: string): Promise<LocalWorkunit> {
-        const tmpName = tmp.tmpNameSync({ prefix: "eclcc-wu-tmp", postfix: "" });
+        const tmpName = path.join(os.tmpdir(), `eclcc-wu-tmp-${crypto.randomBytes(8).toString("hex")}`);
         const args = ["-o" + tmpName, "-wu"].concat([filename]);
         return this.execFile(this.eclccPath, this.cwd, this.args(args), "eclcc", `Cannot find ${this.eclccPath}`).then((_response: IExecFile) => {
             const xmlPath = path.normalize(tmpName + ".xml");