Skip to content

WEBUI-2038: Remove stale tmp@0.2.3 from root lockfile (GHSA-52f5-9888-hmc6)#3173

Merged
madhurkulshrestha-hyland merged 1 commit into
lts-2025from
task-webui-2038-regen-root-lockfile-lts2025
May 21, 2026
Merged

WEBUI-2038: Remove stale tmp@0.2.3 from root lockfile (GHSA-52f5-9888-hmc6)#3173
madhurkulshrestha-hyland merged 1 commit into
lts-2025from
task-webui-2038-regen-root-lockfile-lts2025

Conversation

@madhurkulshrestha-hyland

@madhurkulshrestha-hyland madhurkulshrestha-hyland commented May 21, 2026

Copy link
Copy Markdown
Contributor

Summary

Removes the stale packages/nuxeo-web-ui-ftest/node_modules/tmp entry from the root package-lock.json to eliminate the Dependabot alert for GHSA-52f5-9888-hmc6 (tmp arbitrary file/directory write via symlink).

Problem

The root lockfile had a nested entry pinning tmp@0.2.3 for the ftest workspace sub-tree. Despite the "tmp": "^0.2.4" override in both root and ftest package.json, npm was not updating this lockfile entry (npm limitation with file: linked packages).

Fix

Removed the 10-line stale entry entirely. With it gone, npm correctly hoists tmp@0.2.5 from root node_modules/ (via the override).

Verified stable: After removal, subsequent rm -rf node_modules && npm install cycles do NOT recreate the ftest sub-tree entry — npm continues to use the hoisted 0.2.5.

Result

$ npm audit | grep tmp → (no matches)
$ npm audit → 7 vulnerabilities (all from @open-wc/karma-esm, unfixable without migration)

@madhurkulshrestha-hyland
WEBUI-2038: Remove stale tmp@0.2.3 entry from root lockfile
1e2b66c 
Removed the packages/nuxeo-web-ui-ftest/node_modules/tmp entry that was
pinned to vulnerable 0.2.3. With this entry gone, npm correctly hoists
tmp@0.2.5 from root node_modules (via the override). The lockfile is
stable across npm install cycles — the entry does not reappear.

Eliminates Dependabot alert GHSA-52f5-9888-hmc6 (tmp symlink write).
@madhurkulshrestha-hyland madhurkulshrestha-hyland requested a review from a team as a code owner May 21, 2026 18:41
@madhurkulshrestha-hyland madhurkulshrestha-hyland requested review from AnilKumarVanga, Nishant0928 and Copilot and removed request for a team May 21, 2026 18:41
Copilot AI reviewed May 21, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

@sonarqubecloud

sonarqubecloud Bot commented May 21, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@madhurkulshrestha-hyland madhurkulshrestha-hyland merged commit 50125e4 into lts-2025 May 21, 2026
13 of 14 checks passed
@madhurkulshrestha-hyland madhurkulshrestha-hyland deleted the task-webui-2038-regen-root-lockfile-lts2025 branch May 21, 2026 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@Nishant0928 Nishant0928 Awaiting requested review from Nishant0928 Nishant0928 is a code owner automatically assigned from nuxeo/ui

@AnilKumarVanga AnilKumarVanga Awaiting requested review from AnilKumarVanga AnilKumarVanga is a code owner automatically assigned from nuxeo/ui

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@madhurkulshrestha-hyland