[Security]: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

[onissen]

Link zum Dependbot Alert

https://github.com/ncs-northware/northware/security/dependabot/29

Schweregrad

Low

Betroffenes Package

@changesets/cli@2.29.7, @commitlint/prompt-cli, ultracite

Abhängigkeiten

northware@ /workspaces/northware
├─┬ @changesets/cli@2.29.7 -> ./node_modules/.pnpm/@changesets+cli@2.29.7_@types+node@24.3.3/node_modules/@changesets/cli
│ └─┬ @manypkg/get-packages@1.1.3 -> ./node_modules/.pnpm/@manypkg+get-packages@1.1.3/node_modules/@manypkg/get-packages
│   └─┬ globby@11.1.0 -> ./node_modules/.pnpm/globby@11.1.0/node_modules/globby
│     └─┬ ignore@5.3.2 -> ./node_modules/.pnpm/ignore@5.3.2/node_modules/ignore
│       └── tmp@0.0.33 invalid: "0.2.3" from node_modules/.pnpm/ignore@5.3.2/node_modules/ignore -> ./node_modules/.pnpm/tmp@0.0.33/node_modules/tmp
├─┬ @commitlint/prompt-cli@19.8.1 -> ./node_modules/.pnpm/@commitlint+prompt-cli@19.8.1_@types+node@24.3.3_typescript@5.9.2/node_modules/@commitlint/prompt-cli
│ └─┬ inquirer@9.3.7 -> ./node_modules/.pnpm/inquirer@9.3.7/node_modules/inquirer
│   └─┬ external-editor@3.1.0 -> ./node_modules/.pnpm/external-editor@3.1.0/node_modules/external-editor
│     └── tmp@0.0.33 -> ./node_modules/.pnpm/tmp@0.0.33/node_modules/tmp
└─┬ ultracite@5.3.4 -> ./node_modules/.pnpm/ultracite@5.3.4_@types+debug@4.1.12_@types+node@24.3.3_jiti@2.5.1_lightningcss@1.30.1_terser@5.43.1_typescript@5.9.2/node_modules/ultracite
  └─┬ vitest@3.2.4 -> ./node_modules/.pnpm/vitest@3.2.4_@types+debug@4.1.12_@types+node@24.3.3_jiti@2.5.1_lightningcss@1.30.1_terser@5.43.1/node_modules/vitest
    └─┬ flatted@3.3.3 -> ./node_modules/.pnpm/flatted@3.3.3/node_modules/flatted
      └─┬ @babel/preset-env@7.28.0 invalid: "7.26.9" from node_modules/.pnpm/next@15.5.3_@babel+core@7.28.0_react-dom@19.1.1_react@19.1.1__react@19.1.1/node_modules/next -> ./node_modules/.pnpm/@babel+preset-env@7.28.0_@babel+core@7.28.0/node_modules/@babel/preset-env
        └─┬ babel-plugin-polyfill-corejs2@0.4.14 -> ./node_modules/.pnpm/babel-plugin-polyfill-corejs2@0.4.14_@babel+core@7.28.0/node_modules/babel-plugin-polyfill-corejs2
          └─┬ @babel/helper-define-polyfill-provider@0.6.5 -> ./node_modules/.pnpm/@babel+helper-define-polyfill-provider@0.6.5_@babel+core@7.28.0/node_modules/@babel/helper-define-polyfill-provider
            └─┬ resolve@1.22.10 -> ./node_modules/.pnpm/resolve@1.22.10/node_modules/resolve
              └── tmp@0.0.33 deduped invalid: "0.2.3" from node_modules/.pnpm/ignore@5.3.2/node_modules/ignore, "^0.0.31" from node_modules/.pnpm/resolve@1.22.10/node_modules/resolve -> ./node_modules/.pnpm/tmp@0.0.33/node_modules/tmp

Beschreibung

No response

[onissen]

northware@ /workspaces/northware
├─┬ @changesets/cli@2.29.7 -> ./node_modules/.pnpm/@changesets+cli@2.29.7_@types+node@24.9.2/node_modules/@changesets/cli
│ └─┬ @manypkg/get-packages@1.1.3 -> ./node_modules/.pnpm/@manypkg+get-packages@1.1.3/node_modules/@manypkg/get-packages
│   └─┬ globby@11.1.0 -> ./node_modules/.pnpm/globby@11.1.0/node_modules/globby
│     └─┬ ignore@5.3.2 -> ./node_modules/.pnpm/ignore@5.3.2/node_modules/ignore
│       └── tmp@0.0.33 invalid: "0.2.3" from node_modules/.pnpm/ignore@5.3.2/node_modules/ignore -> ./node_modules/.pnpm/tmp@0.0.33/node_modules/tmp
├─┬ @commitlint/prompt-cli@20.1.0 -> ./node_modules/.pnpm/@commitlint+prompt-cli@20.1.0_@types+node@24.9.2_typescript@5.9.3/node_modules/@commitlint/prompt-cli
│ └─┬ inquirer@9.3.7 -> ./node_modules/.pnpm/inquirer@9.3.7/node_modules/inquirer
│   └─┬ external-editor@3.1.0 -> ./node_modules/.pnpm/external-editor@3.1.0/node_modules/external-editor
│     └── tmp@0.0.33 -> ./node_modules/.pnpm/tmp@0.0.33/node_modules/tmp
└─┬ ultracite@6.1.0 -> ./node_modules/.pnpm/ultracite@6.1.0_typescript@5.9.3/node_modules/ultracite
  └─┬ @trpc/server@11.6.0 -> ./node_modules/.pnpm/@trpc+server@11.6.0_typescript@5.9.3/node_modules/@trpc/server
    └─┬ next@16.0.1 invalid: "^15.3.1" from node_modules/.pnpm/@trpc+server@11.6.0_typescript@5.9.3/node_modules/@trpc/server -> ./node_modules/.pnpm/next@16.0.1_@babel+core@7.28.0_react-dom@19.2.0_react@19.2.0__react@19.2.0/node_modules/next
      ├─┬ @babel/plugin-transform-runtime@7.28.0 invalid: "7.26.10" from node_modules/.pnpm/next@16.0.1_@babel+core@7.28.0_react-dom@19.2.0_react@19.2.0__react@19.2.0/node_modules/next -> ./node_modules/.pnpm/@babel+plugin-transform-runtime@7.28.0_@babel+core@7.28.0/node_modules/@babel/plugin-transform-runtime
      │ └─┬ babel-plugin-polyfill-corejs2@0.4.14 -> ./node_modules/.pnpm/babel-plugin-polyfill-corejs2@0.4.14_@babel+core@7.28.0/node_modules/babel-plugin-polyfill-corejs2
      │   └─┬ @babel/helper-define-polyfill-provider@0.6.5 -> ./node_modules/.pnpm/@babel+helper-define-polyfill-provider@0.6.5_@babel+core@7.28.0/node_modules/@babel/helper-define-polyfill-provider
      │     └─┬ resolve@1.22.10 -> ./node_modules/.pnpm/resolve@1.22.10/node_modules/resolve
      │       └── tmp@0.0.33 deduped invalid: "0.2.3" from node_modules/.pnpm/ignore@5.3.2/node_modules/ignore, "^0.0.31" from node_modules/.pnpm/resolve@1.22.10/node_modules/resolve -> ./node_modules/.pnpm/tmp@0.0.33/node_modules/tmp
      └─┬ storybook@10.0.2 invalid: "8.6.0" from node_modules/.pnpm/next@16.0.1_@babel+core@7.28.0_react-dom@19.2.0_react@19.2.0__react@19.2.0/node_modules/next -> ./node_modules/.pnpm/storybook@10.0.2_@testing-library+dom@10.4.0_prettier@2.8.8_react-dom@19.2.0_react@19.2_cb6a832b92cbcf9251b3d54ba02182fd/node_modules/storybook
        └─┬ @storybook/icons@1.6.0 -> ./node_modules/.pnpm/@storybook+icons@1.6.0_react-dom@19.2.0_react@19.2.0__react@19.2.0/node_modules/@storybook/icons
          └─┬ @storybook/addon-docs@10.0.2 invalid: "^9.1.6" from node_modules/.pnpm/@storybook+icons@1.6.0_react-dom@19.2.0_react@19.2.0__react@19.2.0/node_modules/@storybook/icons -> ./node_modules/.pnpm/@storybook+addon-docs@10.0.2_@types+react@19.2.2_esbuild@0.25.11_rollup@4.44.2_storyboo_4551968072c667664b5ea66402780396/node_modules/@storybook/addon-docs
            └─┬ @storybook/csf-plugin@10.0.2 -> ./node_modules/.pnpm/@storybook+csf-plugin@10.0.2_esbuild@0.25.11_rollup@4.44.2_storybook@10.0.2_@testing-li_638bfdbfed9afb202f566534786fba9f/node_modules/@storybook/csf-plugin
              └─┬ unplugin@2.3.10 -> ./node_modules/.pnpm/unplugin@2.3.10/node_modules/unplugin
                └─┬ webpack-virtual-modules@0.6.2 -> ./node_modules/.pnpm/webpack-virtual-modules@0.6.2/node_modules/webpack-virtual-modules
                  └── tmp@0.0.33 deduped invalid: "0.2.3" from node_modules/.pnpm/ignore@5.3.2/node_modules/ignore, "^0.0.31" from node_modules/.pnpm/resolve@1.22.10/node_modules/resolve, "^0.2.1" from node_modules/.pnpm/webpack-virtual-modules@0.6.2/node_modules/webpack-virtual-modules -> ./node_modules/.pnpm/tmp@0.0.33/node_modules/tmp

[onissen]

This problem was discussed by changesets and a fix was part of the release 2.29.6 (changesets/changesets#1713) but the problem is still there with changesets@3 changesets will maybe change the package, which uses tmp

[onissen]

tmp was updated to v0.2.4 by commitlint in conventional-changelog/commitlint#4533