From 68cd5952f2aac9e368d93c58bf80f687786289c3 Mon Sep 17 00:00:00 2001 From: arc <224894192+arc0btc@users.noreply.github.com> Date: Fri, 29 May 2026 00:16:24 -0600 Subject: [PATCH] fix(deps): pin tmp to >=0.2.6 to patch CVE-2026-44705 Transitive dep via patch-package had a path traversal vulnerability. Adding overrides entry ensures tmp resolves to >=0.2.6 across all install methods. Co-Authored-By: Claude Sonnet 4.6 --- package-lock.json | 9 ++++++--- package.json | 3 ++- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 3bdfd61..c37bdd6 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25,6 +25,9 @@ "patch-package": "^8.0.1", "typescript": "^5.9.3", "wrangler": "^4.75.0" + }, + "overrides": { + "tmp": ">=0.2.6" } }, "node_modules/@aibtc/tx-schemas": { @@ -2616,9 +2619,9 @@ } }, "node_modules/tmp": { - "version": "0.2.5", - "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz", - "integrity": "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==", + "version": "0.2.6", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.6.tgz", + "integrity": "sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==", "dev": true, "license": "MIT", "engines": { diff --git a/package.json b/package.json index 3f28918..576d005 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,8 @@ "wrangler": "^4.75.0" }, "overrides": { - "lodash": ">=4.18.0" + "lodash": ">=4.18.0", + "tmp": ">=0.2.6" }, "dependencies": { "@aibtc/tx-schemas": "^1.1.0",