fix(build): pin tmp >=0.2.6 to resolve GHSA-ph9p-34f9-6g65#1686
Merged
Conversation
- add tmp override in package.json to force @vscode/vsce dep onto patched 0.2.6 - regenerate package-lock.json; npm audit now reports 0 vulnerabilities 🔒 - Generated by Copilot
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned FilesNone |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1686 +/- ##
==========================================
- Coverage 85.56% 85.55% -0.01%
==========================================
Files 85 85
Lines 12396 12396
==========================================
- Hits 10607 10606 -1
- Misses 1789 1790 +1
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
bindsi
approved these changes
May 28, 2026
auyidi1
approved these changes
May 28, 2026
Resolves package-lock.json conflict introduced by main's direct devDep bump (PR #1687). Tightens the tmp override from a range to exact 0.2.7 to match the repo convention of exact pins in the overrides block. GHSA-ph9p-34f9-6g65 remains resolved; npm audit reports 0 vulnerabilities.
kgmwang1
approved these changes
May 29, 2026
This was referenced May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Description
Pin transitive
tmpdependency to>=0.2.6via the rootoverridesblock to resolve GHSA-ph9p-34f9-6g65 (CWE-22 arbitrary path traversal via symbolic link, high severity).tmp@0.2.5is pulled in transitively through@vscode/vsce@3.9.1 → tmp. Rather than bumping@vscode/vsce(which could carry unrelated breaking changes), the fix uses the repository's existingoverridespattern alongside other pinned transitive deps (basic-ftp,undici,yauzl, etc.).Related Issue(s)
Resolves the
npm Security AuditCI failure observed on recent PRs (e.g. #1497).Type of Change
Code & Documentation:
Infrastructure & Configuration:
Testing
npm installsucceeded;package-lock.jsonregenerated.npm ls tmp --allshows the override is active:npm run audit:npm(audit-ci) → exit code 0, "Passed npm security audit", 0 vulnerabilities across all severities.Checklist
Required Checks
Security Considerations
tmp@0.2.6is the upstream-published patched release for GHSA-ph9p-34f9-6g65.