fix(security): force external-editor's tmp to >=0.2.6 (CVE-2026-44705)#741
Merged
Conversation
external-editor@3.1.0 pins tmp@^0.0.33, which Dependabot cannot auto-update because it is semver-incompatible with the 0.2.6 fix. Scoped override lifts it to tmp@0.2.7. Dev-only path (all-contributors-cli -> inquirer -> external-editor). Safe across the major bump: external-editor calls only tmpNameSync(), which 0.2.x still exports. Advisory PoC verified rejected on 0.2.7. Refs: GHSA-ph9p-34f9-6g65
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe package.json overrides section is updated to add a new override entry for the external-editor package, pinning its tmp dependency to version ^0.2.6. ChangesDependency override update
Estimated code review effort: 1 (Trivial) | ~2 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
AlexHladin
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(security): force
external-editor'stmpto>=0.2.6Addresses Dependabot alert 247 —
tmppath traversal via unsanitizedprefix/postfix.Summary
One-line scoped override lifting the
tmpunderexternal-editorfrom0.0.33to0.2.7."serverless": { "tar": "^7.5.8" + }, + "external-editor": { + "tmp": "^0.2.6" }The advisory
CVE-2026-44705 / GHSA-ph9p-34f9-6g65 — High (7.7), CWE-22. Affected
tmp < 0.2.6; patched0.2.6.tmpcomposes paths aspath.join(tmpDir, opts.dir, '<prefix>-<pid>-<random>-<postfix>')with no containment check.path.join()normalizes../sequences, so traversal inprefix,postfix, ordirescapes the temp directory and creates files at attacker-chosen locations with the process's privileges.Why Dependabot can't auto-fix it
Dependabot reports it cannot update:
external-editor@3.1.0pinstmp@^0.0.33, which is semver-incompatible with the0.2.6fix. The chain is:Bumping
all-contributors-clidoesn't help:6.26.1is already the latest stable and still depends oninquirer@^7.3.3. So the only route is a scoped override across the major boundary — which requires provingexternal-editorsurvives the jump.Why the major bump is safe
external-editorcalls exactly onetmpAPI:tmp@0.2.xstill exportstmpNameSync(alongsidefile,fileSync,dir,dirSync,tmpName,setGracefulCleanup). Verified functionally againsttmp@0.2.7:tmpNameSync({}),tmpNameSync({postfix:'.txt'}),tmpNameSync({prefix:'ec',postfix:'.md'})— all the option shapesinquirer/external-editorpass — return correctly.new ExternalEditor('hello')instantiates, creates its temp file, andcleanup()succeeds.all-contributors --version/--helpstill run (6.26.1).Verified actually fixed
The advisory's own PoC, run against both versions:
tmp@0.0.33(master)tmp@0.2.7(this PR)prefix: '../../escaped'/escaped902XoCeldgMRxIc— escaped to/Relative value not allowedpostfix: '/../../pwned.txt'/pwned.txt— escaped to/Relative value not allowedResult
Verified against current
master(b48496b):tmp@0.2.7, markedoverridden(was "^0.0.33") — single copy in the tree.tmp(high), plusexternal-editor,inquirer, andall-contributors-cli, which were flagged only because they depend on vulnerabletmp. Master: 16 advisories → this branch: 12.tmpwas never in the production tree, so plugin consumers were never exposed; this clears dev-tree alerts.npm cisucceeds (lockfile in sync),npm run build,npm run lint(0 errors),npm run test(360 passing, 21 suites) all green.tmp@0.0.33'sos-tmpdirdependency drops away.To apply
Notes
external-editor, its direct parent, rather than applied globally.external-editoris the only consumer oftmpin the tree, so the effect is identical today, but the scoped form documents intent and won't silently capture a future unrelatedtmpconsumer.all-contributors-cliis not wired into any npm script or workflow — it's run ad hoc against.all-contributorsrc. Removing it entirely (as withsemantic-releasein fix(security): remove unused semantic-release, pin serverless's tar >… #740) would also clear these alerts, but it's a tool you actually use, so overriding is the less disruptive fix. Worth revisiting if theinquirer@7chain accumulates more advisories.npm auditfindings (decompress,js-yaml,undici, …) are dev-only advisories fromserverless/@serverless/test/semantic-release, tracked separately (undiciandnpmare cleared by fix(security): remove unused semantic-release, pin serverless's tar >… #740).Summary by CodeRabbit