fix(deps): bump tmp to >=0.2.6 to fix path traversal vulnerability

Adds a pnpm override for `tmp` in both the `frontend` and `desktop`
workspaces to force the patched version (0.2.6). The previous transitive
resolutions (`tmp@0.0.33` via external-editor in frontend, `tmp@0.2.3`
via tmp-promise in desktop) are vulnerable to a path traversal via
unsanitized prefix/postfix that enables directory escape.

Addresses Dependabot alerts #234 (desktop) and #235 (frontend).
This commit is contained in:
kolaente 2026-05-27 10:49:41 +02:00
parent 98affb265a
commit 7be5026113
No known key found for this signature in database
4 changed files with 15 additions and 19 deletions

View File

@ -76,7 +76,8 @@
"minimatch": "^10.2.3",
"tar": "^7.5.11",
"@tootallnate/once": "^3.0.1",
"picomatch": ">=4.0.4"
"picomatch": ">=4.0.4",
"tmp": ">=0.2.6"
}
}
}

View File

@ -9,6 +9,7 @@ overrides:
tar: ^7.5.11
'@tootallnate/once': ^3.0.1
picomatch: '>=4.0.4'
tmp: '>=0.2.6'
importers:
@ -1461,8 +1462,8 @@ packages:
tmp-promise@3.0.3:
resolution: {integrity: sha512-RwM7MoPojPxsOBYnyd2hy0bxtIlVrihNs9pj5SUvY8Zz1sQcQG2tG1hSr8PDxfgEB8RNKDhqbIlroIarSNDNsQ==}
tmp@0.2.3:
resolution: {integrity: sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==}
tmp@0.2.6:
resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==}
engines: {node: '>=14.14'}
toidentifier@1.0.1:
@ -3386,9 +3387,9 @@ snapshots:
tmp-promise@3.0.3:
dependencies:
tmp: 0.2.3
tmp: 0.2.6
tmp@0.2.3: {}
tmp@0.2.6: {}
toidentifier@1.0.1: {}

View File

@ -175,7 +175,8 @@
"serialize-javascript": "^7.0.5",
"flatted": "^3.4.1",
"ip-address": ">=10.1.1",
"postcss": ">=8.5.10"
"postcss": ">=8.5.10",
"tmp": ">=0.2.6"
}
}
}

View File

@ -12,6 +12,7 @@ overrides:
flatted: ^3.4.1
ip-address: '>=10.1.1'
postcss: '>=8.5.10'
tmp: '>=0.2.6'
importers:
@ -5301,10 +5302,6 @@ packages:
orderedmap@2.1.1:
resolution: {integrity: sha512-TvAWxi0nDe1j/rtMcWcIj94+Ffe6n7zhow33h40SKxmsmozs6dz/e+EajymfoFcHd7sxNn8yHM8839uixMOV6g==}
os-tmpdir@1.0.2:
resolution: {integrity: sha512-D2FR03Vir7FIu45XBY20mTb+/ZSWB00sjU9jdQXt83gDrI4Ztz5Fs7/yy74g2N5SVQY4xY1qDr4rNddwYRVX0g==}
engines: {node: '>=0.10.0'}
otplib@12.0.1:
resolution: {integrity: sha512-xDGvUOQjop7RDgxTQ+o4pOol0/3xSZzawTiPKRrHnQWAy0WjhNs/5HdIDJCrqC4MBynmjXgULc6YfioaxZeFgg==}
@ -6495,9 +6492,9 @@ packages:
resolution: {integrity: sha512-8PWx8tvC4jDB39BQw1m4x8y5MH1BcQ5xHeL2n7UVFulMPH/3Q0uiamahFJ3lXA0zO2SUyRXuVVbWSDmstlt9YA==}
hasBin: true
tmp@0.0.33:
resolution: {integrity: sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==}
engines: {node: '>=0.6.0'}
tmp@0.2.6:
resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==}
engines: {node: '>=14.14'}
to-regex-range@5.0.1:
resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==}
@ -11218,7 +11215,7 @@ snapshots:
dependencies:
chardet: 0.7.0
iconv-lite: 0.4.24
tmp: 0.0.33
tmp: 0.2.6
extract-zip@2.0.1:
dependencies:
@ -12411,8 +12408,6 @@ snapshots:
orderedmap@2.1.1: {}
os-tmpdir@1.0.2: {}
otplib@12.0.1:
dependencies:
'@otplib/core': 12.0.1
@ -13819,9 +13814,7 @@ snapshots:
dependencies:
tldts-core: 7.0.19
tmp@0.0.33:
dependencies:
os-tmpdir: 1.0.2
tmp@0.2.6: {}
to-regex-range@5.0.1:
dependencies: