Skip to content

Commit cf2db2a

Browse files
anilgangapersaud-circleanilgangapersaud-circle
authored
[BANK-5155] Bump TMP Transitive Dependency to Resolve Security Vulnerability (#398)
The pipeline for this repo seems to be failing a [security update](https://github.com/circlefin/payments-sample-app/actions/runs/16790262303/job/47550375468) The vulnerability is in a transitive dependency called `tmp` which nuxt uses at version 0.0.33 and the lowest non-vulnerable version is 0.2.4 A long term solution would be to update Nuxt to version 3, but this requires much more effort. As a short term fix, add a yarn resolution to require tmp version >= 0.2.4
1 parent 3ea592e commit cf2db2a

File tree

2 files changed

+9
-7
lines changed

2 files changed

+9
-7
lines changed

package.json

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,10 @@
5151
"vue-the-mask": "^0.11.1",
5252
"vuex-persist": "3.1.3"
5353
},
54+
"resolutions": {
55+
"tmp": ">=0.2.4",
56+
"external-editor/tmp": ">=0.2.4"
57+
},
5458
"devDependencies": {
5559
"@nuxt/types": "^2.15.8",
5660
"@nuxt/typescript-build": "2.1.0",

yarn.lock

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -11161,7 +11161,7 @@ os-homedir@^1.0.0:
1116111161
resolved "https://registry.yarnpkg.com/os-homedir/-/os-homedir-1.0.2.tgz#ffbc4988336e0e833de0c168c7ef152121aa7fb3"
1116211162
integrity sha1-/7xJiDNuDoM94MFox+8VISGqf7M=
1116311163

11164-
os-tmpdir@^1.0.0, os-tmpdir@~1.0.2:
11164+
os-tmpdir@^1.0.0:
1116511165
version "1.0.2"
1116611166
resolved "https://registry.yarnpkg.com/os-tmpdir/-/os-tmpdir-1.0.2.tgz#bbe67406c79aa85c5cfec766fe5734555dfa1274"
1116711167
integrity sha1-u+Z0BseaqFxc/sdm/lc0VV36EnQ=
@@ -14101,12 +14101,10 @@ timsort@^0.3.0:
1410114101
resolved "https://registry.yarnpkg.com/timsort/-/timsort-0.3.0.tgz#405411a8e7e6339fe64db9a234de11dc31e02bd4"
1410214102
integrity sha1-QFQRqOfmM5/mTbmiNN4R3DHgK9Q=
1410314103

14104-
tmp@^0.0.33:
14105-
version "0.0.33"
14106-
resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.0.33.tgz#6d34335889768d21b2bcda0aa277ced3b1bfadf9"
14107-
integrity sha512-jRCJlojKnZ3addtTOjdIqoRuPEKBvNXcGYqzO6zWZX8KfKEpnGY5jfggJQ3EjKuu8D4bJRr0y+cYJFmYbImXGw==
14108-
dependencies:
14109-
os-tmpdir "~1.0.2"
14104+
tmp@>=0.2.4, tmp@^0.0.33:
14105+
version "0.2.4"
14106+
resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.4.tgz#c6db987a2ccc97f812f17137b36af2b6521b0d13"
14107+
integrity sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==
1411014108

1411114109
tmpl@1.0.x:
1411214110
version "1.0.5"

0 commit comments

Comments
 (0)