security: override tmp to fix insecure temporary file creation (GHSA-ph9p-34f9-6g65)

[barretts]

3PP Grackle (automated dependency triage -- Frontend DX) -- babysit (AT run 84db7c2c)

Summary

Fixes 1 high severity 3PP vulnerability in tmp (GHSA-ph9p-34f9-6g65).

tmp prior to 0.2.6 creates temporary files with predictable names and insecure default permissions, allowing local attackers to read or modify sensitive temporary data.

Production risk: Build-time only: tmp only appears under external-editor -> inquirer -> np, which is a devDependency. It is not loaded by the production runtime.

Strategy: override (yarn resolution)

Why

tmp@0.0.33 has an insecure temporary file creation vulnerability (GHSA-ph9p-34f9-6g65, HIGH), first patched in 0.2.6. The package is pulled in transitively by external-editor@3.1.0 (the latest release), which declares tmp@^0.0.33 -- a range that will never resolve to 0.2.x. Since external-editor has no newer release that updates this range, a yarn resolution is the only available fix without replacing the entire inquirer -> external-editor chain.

Changes

package.json

Added a yarn resolutions entry to force tmp to ^0.2.6:

"tmp": "^0.2.6"

Why resolution override? external-editor@3.1.0 (latest) declares tmp@^0.0.33, a range that cannot resolve to 0.2.x. There is no newer release of external-editor that bumps this range. The resolution forces yarn to resolve tmp to 0.2.7 (latest in the 0.2.x line) across the entire tree.

yarn.lock

Lockfile re-resolved: tmp moved from 0.0.33 to 0.2.7. The os-tmpdir transitive dependency (only needed by tmp@0.0.x) is removed from the tree.

Resolutions and overrides

Override Key	Version	Why Override?	When to Remove	Reference
tmp	^0.2.6	Transitive via external-editor@3.1.0 (used by inquirer, a dep of np). external-editor declares tmp@^0.0.33 which cannot resolve to 0.2.x; no newer release exists. Resolution forces safe version.	Remove when external-editor releases a version whose range declares tmp@>=0.2.6. Track upstream: https://github.com/mrkmg/node-external-editor/releases. Verify with 3pp-util trace-vuln tmp. Reviewer-local: yarn why tmp.	GHSA-ph9p-34f9-6g65

Risk Classification

This vulnerability exists only in build-tool dependencies. Production risk: NONE. Remediation prevents scanner noise and supply-chain exposure during CI.

Vulnerabilities Fixed

CVE/GHSA	Package	Severity	Fixed Version
GHSA-ph9p-34f9-6g65	tmp	high	^0.2.6

How to test

# Install with the patched version hoisted
yarn install

# Verify tmp resolved to >= 0.2.6
yarn why tmp
# expect: tmp@0.2.7

# Project-wide gates
yarn run lint
yarn run build
yarn run test

Validation

Validation is a before/after comparison. The baseline captured pre-existing install failures due to the corepack ancestor-walk issue (unrelated to this fix).

• Install (baseline / post-fix): FAIL (corepack) / PASS
• Tests (baseline / post-fix): FAIL (blocked by install) / PASS
• Lint (baseline / post-fix): FAIL (blocked by install) / PASS
• Build (baseline / post-fix): FAIL (blocked by install) / PASS

All four phases recovered after the fix was applied. No regressions introduced.

Notes

• Dependency chain: np (devDep) -> inquirer -> external-editor -> tmp@^0.0.33
• tmp@0.2.x drops the os-tmpdir dependency entirely (uses Node built-in os.tmpdir())
• external-editor is at its latest release (3.1.0, published 2019) and is unlikely to receive updates

---

_{skill-sig: 26cfcbaf · grackle-sig: 84db7c2c · 3pp-skill-sig: ad61853a · 3pp-skill canonical pipeline · 3pp-grackle babysit}

[barretts]

3PP Grackle (automated dependency triage -- Frontend DX)

Grackle review -- no-CI tmp override ^0.2.6 (GHSA-ph9p-34f9-6g65)

Verification

read git diff main..HEAD
verified yarn.lock resolution entry at line 6099-6102
confirmed external-editor uses only tmpNameSync (stable API across 0.x -> 0.2.x)
read upstream CHANGELOG.md for breaking changes
confirmed tmp is dev-only via np -> inquirer -> external-editor chain

Findings

LOW #1 -- tmp 0.2.x has breaking callback semantics vs 0.0.x

VERIFIED: tmp 0.2.0 changed async/sync callback behavior (PR #220, #231). However, the only consumer in this tree (external-editor@3.1.0) uses tmpNameSync which is API-stable across both major lines. No runtime impact. Confirmed via upstream source (raszi/node-tmp CHANGELOG.md and mrkmg/node-external-editor src/index.ts:12,149).

Verified location: yarn.lock:6099

LOW #2 -- Resolution range uses ^ not exact pin

VERIFIED: package.json:90 uses "^0.2.6" which allows 0.2.7+ but not 0.3.x. This is intentional -- it tracks patch releases within the fixed line. Current resolution is 0.2.7 (yarn.lock:6100). Acceptable for a devDependency override.

Verified location: package.json:90

What's solid

• Resolution correctly unifies the ^0.0.33 range from external-editor with the ^0.2.6 override into a single tmp@0.2.7 entry (yarn.lock:6099), eliminating the vulnerable 0.0.33 and its os-tmpdir transitive dep
• Impact is strictly build-time: dependency chain is np (devDep) -> inquirer -> external-editor -> tmp. No production runtime exposure.
• The only API surface used by external-editor (tmpNameSync) is stable between 0.0.x and 0.2.x -- confirmed via upstream source

Priority stack for the author

No action required. The fix is minimal, correctly scoped, and safe to merge as-is.

Recommendation: GO

_{skill-sig: 26cfcbaf · 3pp-skill-sig: ad61853a}