Skip to content

Low severity vulnerability via transitive dependency tmp #464

Description

@claabs

GHSA-52f5-9888-hmc6

This can be fixed by upgrading @inquirer/prompts to ^7.0.0 at a minimum.

As a package consumer, this override can resolve it:

  "overrides": {
    "@pgkit/migrator": {
      "@inquirer/prompts": "^7.0.0"
    }
  }

Details

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install @pgkit/migrator@0.1.15, which is a breaking change
node_modules/tmp
  external-editor  >=1.1.1
  Depends on vulnerable versions of tmp
  node_modules/external-editor
    @inquirer/editor  <=4.2.15
    Depends on vulnerable versions of external-editor
    node_modules/@inquirer/editor
      @inquirer/prompts  <=6.0.1
      Depends on vulnerable versions of @inquirer/editor
      node_modules/@inquirer/prompts
        @pgkit/migrator  >=0.1.16
        Depends on vulnerable versions of @inquirer/prompts
        node_modules/@pgkit/migrator
$ npm list tmp
pgkit-repro@1.0.0 /Users/claabs/projects/pgkit-repro
└─┬ @pgkit/migrator@0.6.1
  └─┬ @inquirer/prompts@5.5.0
    └─┬ @inquirer/editor@2.2.0
      └─┬ external-editor@3.1.0
        └── tmp@0.0.33

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions