Resolve tmp CVE Audit Finding

Created 2026-06-12 18:55 America/New_York for islandflow.

branch: lavender/resolve-forgejo-security-issues scope: dependency security audit: clean

Summary

Updated the workspace dependency override for tmp so Bun resolves a patched version for the desktop packaging chain. The current audit finding, GHSA-ph9p-34f9-6g65, is no longer present: bun audit reports no vulnerabilities.

Changes Made

  • Changed the root overrides.tmp range from ^0.2.5 to ^0.2.6.
  • Regenerated bun.lock with bun install, resolving tmp to 0.2.7.
  • Checked Forgejo-related access paths for open issue review. Git-over-SSH worked, but Forgejo issue API/web access was blocked or unavailable from this environment.

Context

bun audit on current main reported one high-severity vulnerability: tmp <0.2.6, pulled through workspace:@islandflow/desktop via @electron-forge/cli. The advisory describes path traversal risk through unsanitized prefix/postfix handling.

A previous Forgejo security branch already attempted this remediation, but that remote branch/PR also contains unrelated standup and Beads/documentation commits. This branch was rebuilt from forgejo/main in a clean worktree so the PR contains only the security fix and this task record.

Forgejo issue enumeration could not be completed directly: fj issue search and authenticated REST calls hit Cloudflare 1010, the old git.dirtydishes.dev host resolves to 0.0.0.0, and git.deltaisland.io returned generic 404s for web issue routes. The local package audit was still checked end to end.

Important Implementation Details

  • The direct dependency source is transitive, so the safest narrow remediation is the existing root override.
  • The range starts at ^0.2.6, the first non-vulnerable version according to the audit rule, while the lockfile currently resolves tmp@0.2.7.
  • No runtime application code changed. This is a package graph and lockfile correction.

Relevant Diff Snippets

The rendered diff below is generated with @pierre/diffs/ssr using preloadPatchFile({ patch, options: {} }). Each SSR fragment is contained inside a declarative Shadow DOM root so Diffs styles cannot affect the rest of the report.

Expected Impact for End-Users

No interface or workflow behavior should change. The practical effect is reduced exposure to the known tmp path traversal advisory in the desktop build/tooling dependency graph.

Validation

  • bun audit: passed, no vulnerabilities found.
  • bun test: passed, 250 tests across 41 files.
  • git diff --check -- docs/turns/ package.json bun.lock: passed.
  • bun run check: failed on pre-existing Biome import-order diagnostics in unrelated source/test files. No dependency-fix files were implicated.

Issues, Limitations, and Mitigations

  • Forgejo issue list access was incomplete. CLI/API/web issue enumeration was blocked or unavailable from this environment. Mitigation: the local security audit was run from clean main, and the only active audit finding was fixed.
  • Full Biome check is not green on current main. It reports import-order fixes across existing files outside this change. Mitigation: the targeted security audit and full test suite passed, and the PR avoids broad formatting churn.
  • The fix relies on an override because tmp is transitive through Electron Forge tooling. Mitigation: the lockfile records the resolved patched version.

Follow-up Work

  • Once Forgejo issue access is available, cross-check the open issue list against this PR and close/comment on the matching security ticket.
  • Retire or close the older polluted lavender/address-cve-tmp@0.2.5 PR/branch if this clean PR supersedes it.
  • Run a separate formatting PR for the existing Biome import-order backlog if bun run check should become a merge gate.