From 12346459ff912f67f82182ce2edfa3ef43d01f2a Mon Sep 17 00:00:00 2001 From: orbisai0security Date: Thu, 4 Jun 2026 15:11:48 +0000 Subject: [PATCH 1/2] fix: CVE-2026-44705 security vulnerability Automated dependency upgrade by OrbisAI Security --- package.json | 1 + pnpm-lock.yaml | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/package.json b/package.json index fbee93d40..76cdf1669 100644 --- a/package.json +++ b/package.json @@ -78,6 +78,7 @@ "fast-glob": "^3.3.3", "ora": "^8.2.0", "posthog-node": "^5.20.0", + "tmp": "0.2.6", "yaml": "^2.8.2", "zod": "^4.0.17" } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 097bf0404..6d9b0bfff 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -32,6 +32,9 @@ importers: posthog-node: specifier: ^5.20.0 version: 5.20.0 + tmp: + specifier: 0.2.6 + version: 0.2.6 yaml: specifier: ^2.8.2 version: 2.8.2 @@ -536,56 +539,67 @@ packages: resolution: {integrity: sha512-EtP8aquZ0xQg0ETFcxUbU71MZlHaw9MChwrQzatiE8U/bvi5uv/oChExXC4mWhjiqK7azGJBqU0tt5H123SzVA==} cpu: [arm] os: [linux] + libc: [glibc] '@rollup/rollup-linux-arm-musleabihf@4.46.2': resolution: {integrity: sha512-qO7F7U3u1nfxYRPM8HqFtLd+raev2K137dsV08q/LRKRLEc7RsiDWihUnrINdsWQxPR9jqZ8DIIZ1zJJAm5PjQ==} cpu: [arm] os: [linux] + libc: [musl] '@rollup/rollup-linux-arm64-gnu@4.46.2': resolution: {integrity: sha512-3dRaqLfcOXYsfvw5xMrxAk9Lb1f395gkoBYzSFcc/scgRFptRXL9DOaDpMiehf9CO8ZDRJW2z45b6fpU5nwjng==} cpu: [arm64] os: [linux] + libc: [glibc] '@rollup/rollup-linux-arm64-musl@4.46.2': resolution: {integrity: sha512-fhHFTutA7SM+IrR6lIfiHskxmpmPTJUXpWIsBXpeEwNgZzZZSg/q4i6FU4J8qOGyJ0TR+wXBwx/L7Ho9z0+uDg==} cpu: [arm64] os: [linux] + libc: [musl] '@rollup/rollup-linux-loongarch64-gnu@4.46.2': resolution: {integrity: sha512-i7wfGFXu8x4+FRqPymzjD+Hyav8l95UIZ773j7J7zRYc3Xsxy2wIn4x+llpunexXe6laaO72iEjeeGyUFmjKeA==} cpu: [loong64] os: [linux] + libc: [glibc] '@rollup/rollup-linux-ppc64-gnu@4.46.2': resolution: {integrity: sha512-B/l0dFcHVUnqcGZWKcWBSV2PF01YUt0Rvlurci5P+neqY/yMKchGU8ullZvIv5e8Y1C6wOn+U03mrDylP5q9Yw==} cpu: [ppc64] os: [linux] + libc: [glibc] '@rollup/rollup-linux-riscv64-gnu@4.46.2': resolution: {integrity: sha512-32k4ENb5ygtkMwPMucAb8MtV8olkPT03oiTxJbgkJa7lJ7dZMr0GCFJlyvy+K8iq7F/iuOr41ZdUHaOiqyR3iQ==} cpu: [riscv64] os: [linux] + libc: [glibc] '@rollup/rollup-linux-riscv64-musl@4.46.2': resolution: {integrity: sha512-t5B2loThlFEauloaQkZg9gxV05BYeITLvLkWOkRXogP4qHXLkWSbSHKM9S6H1schf/0YGP/qNKtiISlxvfmmZw==} cpu: [riscv64] os: [linux] + libc: [musl] '@rollup/rollup-linux-s390x-gnu@4.46.2': resolution: {integrity: sha512-YKjekwTEKgbB7n17gmODSmJVUIvj8CX7q5442/CK80L8nqOUbMtf8b01QkG3jOqyr1rotrAnW6B/qiHwfcuWQA==} cpu: [s390x] os: [linux] + libc: [glibc] '@rollup/rollup-linux-x64-gnu@4.46.2': resolution: {integrity: sha512-Jj5a9RUoe5ra+MEyERkDKLwTXVu6s3aACP51nkfnK9wJTraCC8IMe3snOfALkrjTYd2G1ViE1hICj0fZ7ALBPA==} cpu: [x64] os: [linux] + libc: [glibc] '@rollup/rollup-linux-x64-musl@4.46.2': resolution: {integrity: sha512-7kX69DIrBeD7yNp4A5b81izs8BqoZkCIaxQaOpumcJ1S/kmqNFjPhDu1LHeVXv0SexfHQv5cqHsxLOjETuqDuA==} cpu: [x64] os: [linux] + libc: [musl] '@rollup/rollup-win32-arm64-msvc@4.46.2': resolution: {integrity: sha512-wiJWMIpeaak/jsbaq2HMh/rzZxHVW1rU6coyeNNpMwk5isiPjSTx0a4YLSlYDwBH/WBvLz+EtsNqQScZTLJy3g==} @@ -1485,6 +1499,10 @@ packages: resolution: {integrity: sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==} engines: {node: '>=0.6.0'} + tmp@0.2.6: + resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==} + engines: {node: '>=14.14'} + to-regex-range@5.0.1: resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==} engines: {node: '>=8.0'} @@ -3039,6 +3057,8 @@ snapshots: dependencies: os-tmpdir: 1.0.2 + tmp@0.2.6: {} + to-regex-range@5.0.1: dependencies: is-number: 7.0.0 From d6a77b9c2768f8cae038e392bf21aa3a9f5e0de0 Mon Sep 17 00:00:00 2001 From: OrbisAI Security Date: Mon, 8 Jun 2026 07:37:36 +0530 Subject: [PATCH 2/2] fix: replace direct tmp dep with pnpm.overrides to remove tmp@0.0.33 from tree Adding tmp@0.2.6 as a direct dependency left the vulnerable tmp@0.0.33 installed transitively via @inquirer/prompts > @inquirer/editor > external-editor. Use pnpm.overrides to force the entire dependency tree to resolve tmp to ^0.2.6, removing the vulnerable version entirely. Co-Authored-By: Claude Sonnet 4.6 --- package.json | 6 +++++- pnpm-lock.yaml | 22 ++++------------------ 2 files changed, 9 insertions(+), 19 deletions(-) diff --git a/package.json b/package.json index 76cdf1669..321edc7ec 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,11 @@ "engines": { "node": ">=20.19.0" }, + "pnpm": { + "overrides": { + "tmp": "^0.2.6" + } + }, "devDependencies": { "@changesets/changelog-github": "^0.5.2", "@changesets/cli": "^2.27.7", @@ -78,7 +83,6 @@ "fast-glob": "^3.3.3", "ora": "^8.2.0", "posthog-node": "^5.20.0", - "tmp": "0.2.6", "yaml": "^2.8.2", "zod": "^4.0.17" } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 6d9b0bfff..affb95816 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,9 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + tmp: ^0.2.6 + importers: .: @@ -32,9 +35,6 @@ importers: posthog-node: specifier: ^5.20.0 version: 5.20.0 - tmp: - specifier: 0.2.6 - version: 0.2.6 yaml: specifier: ^2.8.2 version: 2.8.2 @@ -1252,10 +1252,6 @@ packages: resolution: {integrity: sha512-weP+BZ8MVNnlCm8c0Qdc1WSWq4Qn7I+9CJGm7Qali6g44e/PUzbjNqJX5NJ9ljlNMosfJvg1fKEGILklK9cwnw==} engines: {node: '>=18'} - os-tmpdir@1.0.2: - resolution: {integrity: sha512-D2FR03Vir7FIu45XBY20mTb+/ZSWB00sjU9jdQXt83gDrI4Ztz5Fs7/yy74g2N5SVQY4xY1qDr4rNddwYRVX0g==} - engines: {node: '>=0.10.0'} - outdent@0.5.0: resolution: {integrity: sha512-/jHxFIzoMXdqPzTaCpFzAAWhpkSjZPF4Vsn6jAfNpmbH/ymsmd7Qc6VE9BGn0L6YMj6uwpQLxCECpus4ukKS9Q==} @@ -1495,10 +1491,6 @@ packages: resolution: {integrity: sha512-t2T/WLB2WRgZ9EpE4jgPJ9w+i66UZfDc8wHh0xrwiRNN+UwH98GIJkTeZqX9rg0i0ptwzqW+uYeIF0T4F8LR7A==} engines: {node: '>=14.0.0'} - tmp@0.0.33: - resolution: {integrity: sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==} - engines: {node: '>=0.6.0'} - tmp@0.2.6: resolution: {integrity: sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==} engines: {node: '>=14.14'} @@ -2589,7 +2581,7 @@ snapshots: dependencies: chardet: 0.7.0 iconv-lite: 0.4.24 - tmp: 0.0.33 + tmp: 0.2.6 fast-deep-equal@3.1.3: {} @@ -2840,8 +2832,6 @@ snapshots: string-width: 7.2.0 strip-ansi: 7.1.0 - os-tmpdir@1.0.2: {} - outdent@0.5.0: {} p-filter@2.1.0: @@ -3053,10 +3043,6 @@ snapshots: tinyspy@4.0.3: {} - tmp@0.0.33: - dependencies: - os-tmpdir: 1.0.2 - tmp@0.2.6: {} to-regex-range@5.0.1: