Skip to content

fix(security): force external-editor's tmp to >=0.2.6 (CVE-2026-44705)#741

Merged
sid88in merged 1 commit into
masterfrom
fix/tmp-path-traversal-247
Jul 10, 2026
Merged

fix(security): force external-editor's tmp to >=0.2.6 (CVE-2026-44705)#741
sid88in merged 1 commit into
masterfrom
fix/tmp-path-traversal-247

Conversation

@sid88in

@sid88in sid88in commented Jul 9, 2026

Copy link
Copy Markdown
Owner

fix(security): force external-editor's tmp to >=0.2.6

Addresses Dependabot alert 247tmp path traversal via unsanitized prefix/postfix.

No Fixes #N trailer: Dependabot alert numbers and issue numbers are separate namespaces —
Fixes #247 would link to an unrelated issue. The advisory is referenced by GHSA ID instead.

Summary

One-line scoped override lifting the tmp under external-editor from 0.0.33 to 0.2.7.

   "serverless": {
     "tar": "^7.5.8"
+  },
+  "external-editor": {
+    "tmp": "^0.2.6"
   }

The advisory

CVE-2026-44705 / GHSA-ph9p-34f9-6g65 — High (7.7), CWE-22. Affected tmp < 0.2.6; patched 0.2.6.

tmp composes paths as path.join(tmpDir, opts.dir, '<prefix>-<pid>-<random>-<postfix>') with no containment check. path.join() normalizes ../ sequences, so traversal in prefix, postfix, or dir escapes the temp directory and creates files at attacker-chosen locations with the process's privileges.

Why Dependabot can't auto-fix it

Dependabot reports it cannot update: external-editor@3.1.0 pins tmp@^0.0.33, which is semver-incompatible with the 0.2.6 fix. The chain is:

devDependencies → all-contributors-cli@6.26.1 → inquirer@7.3.3 → external-editor@3.1.0 → tmp@0.0.33

Bumping all-contributors-cli doesn't help: 6.26.1 is already the latest stable and still depends on inquirer@^7.3.3. So the only route is a scoped override across the major boundary — which requires proving external-editor survives the jump.

Why the major bump is safe

external-editor calls exactly one tmp API:

// external-editor/main/index.js:131
this.tempFile = tmp_1.tmpNameSync(this.fileOptions);

tmp@0.2.x still exports tmpNameSync (alongside file, fileSync, dir, dirSync, tmpName, setGracefulCleanup). Verified functionally against tmp@0.2.7:

  • tmpNameSync({}), tmpNameSync({postfix:'.txt'}), tmpNameSync({prefix:'ec',postfix:'.md'}) — all the option shapes inquirer / external-editor pass — return correctly.
  • new ExternalEditor('hello') instantiates, creates its temp file, and cleanup() succeeds.
  • all-contributors --version / --help still run (6.26.1).

Verified actually fixed

The advisory's own PoC, run against both versions:

tmp@0.0.33 (master) tmp@0.2.7 (this PR)
prefix: '../../escaped' /escaped902XoCeldgMRxIcescaped to / rejected: Relative value not allowed
postfix: '/../../pwned.txt' /pwned.txtescaped to / rejected: Relative value not allowed

Result

Verified against current master (b48496b):

  • tmp@0.2.7, marked overridden (was "^0.0.33") — single copy in the tree.
  • Clears 4 advisories: tmp (high), plus external-editor, inquirer, and all-contributors-cli, which were flagged only because they depend on vulnerable tmp. Master: 16 advisories → this branch: 12.
  • No regressions — advisory-set diff introduces nothing new.
  • tmp was never in the production tree, so plugin consumers were never exposed; this clears dev-tree alerts.
  • npm ci succeeds (lockfile in sync), npm run build, npm run lint (0 errors), npm run test (360 passing, 21 suites) all green.
  • Tiny lockfile diff (~17 deletions): tmp@0.0.33's os-tmpdir dependency drops away.

To apply

npm pkg set 'overrides.external-editor.tmp=^0.2.6'
npm install     # regenerates package-lock.json

npm run build && npm run lint && npm test
npm ls tmp      # expect tmp@0.2.7 overridden
npm audit       # no tmp findings
node node_modules/.bin/all-contributors --version   # CLI still runs

Notes

  • Override is scoped to external-editor, its direct parent, rather than applied globally. external-editor is the only consumer of tmp in the tree, so the effect is identical today, but the scoped form documents intent and won't silently capture a future unrelated tmp consumer.
  • all-contributors-cli is not wired into any npm script or workflow — it's run ad hoc against .all-contributorsrc. Removing it entirely (as with semantic-release in fix(security): remove unused semantic-release, pin serverless's tar >… #740) would also clear these alerts, but it's a tool you actually use, so overriding is the less disruptive fix. Worth revisiting if the inquirer@7 chain accumulates more advisories.
  • Remaining npm audit findings (decompress, js-yaml, undici, …) are dev-only advisories from serverless / @serverless/test / semantic-release, tracked separately (undici and npm are cleared by fix(security): remove unused semantic-release, pin serverless's tar >… #740).

Summary by CodeRabbit

  • Bug Fixes
    • Updated a dependency constraint to help ensure more reliable app behavior and reduce issues related to temporary file handling.

external-editor@3.1.0 pins tmp@^0.0.33, which Dependabot cannot auto-update
because it is semver-incompatible with the 0.2.6 fix. Scoped override lifts it
to tmp@0.2.7. Dev-only path (all-contributors-cli -> inquirer -> external-editor).

Safe across the major bump: external-editor calls only tmpNameSync(), which
0.2.x still exports. Advisory PoC verified rejected on 0.2.7.

Refs: GHSA-ph9p-34f9-6g65
@sid88in sid88in self-assigned this Jul 9, 2026
@sid88in sid88in requested a review from AlexHladin July 9, 2026 02:47
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 06c0182c-0828-4d28-8be1-abed901cec2d

📥 Commits

Reviewing files that changed from the base of the PR and between b48496b and 53c49ba.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Walkthrough

The package.json overrides section is updated to add a new override entry for the external-editor package, pinning its tmp dependency to version ^0.2.6.

Changes

Dependency override update

Layer / File(s) Summary
Add external-editor tmp override
package.json
Adds an override entry for external-editor specifying tmp version ^0.2.6.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: AlexHladin

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the security override added for external-editor's tmp dependency.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/tmp-path-traversal-247

Comment @coderabbitai help to get the list of available commands.

@sid88in sid88in merged commit 6ee7ae1 into master Jul 10, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants