Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

2 low severity vulnerabilities #583

Open
@gomezger

Description

Problem Description

Running npm audit reports vulnerabilities in the tmp dependency, which is indirectly required by patch-package.

Audit Log

# npm audit report
tmp <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
No fix available
node_modules/tmp
 patch-package *
 Depends on vulnerable versions of tmp
 node_modules/patch-package
2 low severity vulnerabilities

Impact

  • patch-package depends on a vulnerable version of tmp.
  • No fix is currently available.
  • This raises security warnings when installing dependencies.

Steps to Reproduce

  1. Install dependencies with npm install
  2. Run npm audit
  3. See the reported vulnerability in tmp

Expected Behavior

  • patch-package should update the tmp dependency to a secure version or provide a workaround.

Environment

  • Node.js: 20

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

      Relationships

      None yet

      Development

      No branches or pull requests

      Issue actions

        AltStyle によって変換されたページ (->オリジナル) /