Repository turn document · 2026-06-01

Addressed Forgejo issue #15 by moving the tmp override past CVE-2026-44705

The vulnerable transitive tmp@0.2.5 lockfile entry has been replaced with a patched resolution. The dependency chain remains the Electron desktop packaging path, not a live service runtime path.

Forgejo issue#15

Beads taskislandflow-9ur

Resolved packagetmp@0.2.7

Audit stateNo vulnerabilities found

Summary

Updated the root Bun override for tmp from ^0.2.5 to ^0.2.6 and refreshed bun.lock. Bun resolved the package to tmp@0.2.7, which is above the patched version requested by the advisory.

Changes Made

Changed package.json so the root override requests tmp ^0.2.6.
Ran bun install to regenerate bun.lock with the new override and checksum.
Verified the Electron Forge dependency chain still resolves through external-editor to the patched tmp@0.2.7.
Created and claimed Beads task islandflow-9ur to track the Forgejo issue locally.

Context

Forgejo issue #15 reported CVE-2026-44705 / GHSA-ph9p-34f9-6g65 against tmp@0.2.5. The affected package is pulled transitively through the desktop packaging toolchain: @islandflow/desktop, @electron-forge/cli, @inquirer/prompts, @inquirer/editor, external-editor, and then tmp.

This is a developer and packaging surface rather than the live market-data runtime, but the vulnerable version was present in the repository lockfile and needed to be removed.

Important Implementation Details

The override was bumped to ^0.2.6, matching the issue remediation guidance while allowing Bun to choose the latest compatible patch.
Bun selected tmp@0.2.7, so the lockfile now lands above the minimum patched version.
No runtime service code changed. The change is limited to dependency policy and lockfile resolution.

Relevant Diff Snippets

Rendered below with @pierre/diffs/ssr using preloadPatchFile, following the Diffs SSR guidance at diffs.com/docs. The generated markup is embedded directly in this HTML document.

bun.lock

-2+2

175 unmodified lines
176
177
178
179
180
181
182
992 unmodified lines
1175
1176
1177
1178
1179
1180
1181
175 unmodified lines
    "@electron/node-gyp": "^10.2.0-electron.2",
    "postcss": "^8.5.15",
    "tar": "^7.5.15",
    "tmp": "^0.2.5",
  },
  "packages": {
    "@biomejs/biome": ["@biomejs/biome@2.4.16", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.4.16", "@biomejs/cli-darwin-x64": "2.4.16", "@biomejs/cli-linux-arm64": "2.4.16", "@biomejs/cli-linux-arm64-musl": "2.4.16", "@biomejs/cli-linux-x64": "2.4.16", "@biomejs/cli-linux-x64-musl": "2.4.16", "@biomejs/cli-win32-arm64": "2.4.16", "@biomejs/cli-win32-x64": "2.4.16" }, "bin": { "biome": "bin/biome" } }, "sha512-x9ajFh1zChVybCiM3TN6OD4phAqLgtPZjFrZF+aTMYCPjwBO+k529TX7PPsAqtGNLeV4UgzwQnowEgS7bGmzcA=="],
992 unmodified lines
    "terser-webpack-plugin": ["terser-webpack-plugin@5.6.0", "", { "dependencies": { "@jridgewell/trace-mapping": "^0.3.25", "jest-worker": "^27.4.5", "schema-utils": "^4.3.0", "terser": "^5.31.1" }, "peerDependencies": { "webpack": "^5.1.0" } }, "sha512-Eum+5ajkaOhf5KbM26osvv21kLD7BaGqQ1UA4Ami4arYwylmGUQTgHFpHDdmJod1q4QXa66p0to/FBKID+J1vA=="],
    "tmp": ["tmp@0.2.5", "", {}, "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow=="],
    "to-regex-range": ["to-regex-range@5.0.1", "", { "dependencies": { "is-number": "^7.0.0" } }, "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ=="],
175 unmodified lines
176
177
178
179
180
181
182
992 unmodified lines
1175
1176
1177
1178
1179
1180
1181
175 unmodified lines
    "@electron/node-gyp": "^10.2.0-electron.2",
    "postcss": "^8.5.15",
    "tar": "^7.5.15",
    "tmp": "^0.2.6",
  },
  "packages": {
    "@biomejs/biome": ["@biomejs/biome@2.4.16", "", { "optionalDependencies": { "@biomejs/cli-darwin-arm64": "2.4.16", "@biomejs/cli-darwin-x64": "2.4.16", "@biomejs/cli-linux-arm64": "2.4.16", "@biomejs/cli-linux-arm64-musl": "2.4.16", "@biomejs/cli-linux-x64": "2.4.16", "@biomejs/cli-linux-x64-musl": "2.4.16", "@biomejs/cli-win32-arm64": "2.4.16", "@biomejs/cli-win32-x64": "2.4.16" }, "bin": { "biome": "bin/biome" } }, "sha512-x9ajFh1zChVybCiM3TN6OD4phAqLgtPZjFrZF+aTMYCPjwBO+k529TX7PPsAqtGNLeV4UgzwQnowEgS7bGmzcA=="],
992 unmodified lines
    "terser-webpack-plugin": ["terser-webpack-plugin@5.6.0", "", { "dependencies": { "@jridgewell/trace-mapping": "^0.3.25", "jest-worker": "^27.4.5", "schema-utils": "^4.3.0", "terser": "^5.31.1" }, "peerDependencies": { "webpack": "^5.1.0" } }, "sha512-Eum+5ajkaOhf5KbM26osvv21kLD7BaGqQ1UA4Ami4arYwylmGUQTgHFpHDdmJod1q4QXa66p0to/FBKID+J1vA=="],
    "tmp": ["tmp@0.2.7", "", {}, "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw=="],
    "to-regex-range": ["to-regex-range@5.0.1", "", { "dependencies": { "is-number": "^7.0.0" } }, "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ=="],

package.json

-1+1

38 unmodified lines
39
40
41
42
43
44
45
38 unmodified lines
  "overrides": {
    "postcss": "^8.5.15",
    "tar": "^7.5.15",
    "tmp": "^0.2.5",
    "@electron/node-gyp": "^10.2.0-electron.2"
  },
  "dependencies": {38 unmodified lines
39
40
41
42
43
44
45
38 unmodified lines
  "overrides": {
    "postcss": "^8.5.15",
    "tar": "^7.5.15",
    "tmp": "^0.2.6",
    "@electron/node-gyp": "^10.2.0-electron.2"
  },
  "dependencies": {

Expected Impact for End-Users

End users should not see any product behavior change. The useful effect is supply-chain hygiene: desktop packaging and developer installs no longer carry the flagged tmp@0.2.5 lockfile entry.

Validation

Passed: bun audit returned No vulnerabilities found.
Passed: bun why tmp resolved the dependency chain to tmp@0.2.7.
Passed: bun test completed with 250 pass, 0 fail.
Known existing failure: bun run check still reports Biome import-order diagnostics across unrelated files. The first reported files include apps/desktop/src/main.ts, apps/web/app/layout.tsx, and several package storage tests. Those diagnostics predate this dependency-only fix and were not changed in this turn.

Issues, Limitations, and Mitigations

The broad Biome check is not green because of existing organize-import diagnostics unrelated to the tmp override. The mitigation for this turn is that the security-specific validation passed: the audit is clean and the package now resolves to a patched version.

No lockfile-only runtime behavior change is expected, but desktop packaging should still be exercised before any release that depends on the Electron Forge path.

Follow-up Work

Create a separate Beads issue for the repo-wide Biome import-order cleanup if the team wants bun run check restored to green.
Run desktop packaging validation before the next desktop release to confirm the Forge chain remains healthy with tmp@0.2.7.
Consider an automated dependency audit gate so security override bumps are verified in CI as part of the normal branch flow.