[security][CVE-2026-44705] tmp #15

New issue

Open

opened 2026-05-30 13:20:03 +00:00 by dirtydishes · 2 comments

dirtydishes commented

2026-05-30 13:20:03 +00:00

Owner

Summary

New active unaddressed high-severity CVE detected in the current Bun lockfile.

Counters for this run:

unaddressed critical CVEs: 0
unaddressed medium/low CVEs: 0
unaddressed total CVEs: 1

Finding

CVE: CVE-2026-44705
Advisory: GHSA-ph9p-34f9-6g65
Affected component: tmp@0.2.5 (resolved in bun.lock)
Severity: High (GitHub 7.7, GitLab/NVD mirror 7.5)
Vulnerable range: <0.2.6
Patched version: 0.2.6+
Published: 2026-05-27

Project impact

tmp is pulled in transitively through the Electron desktop packaging chain:
@islandflow/desktop -> @electron-forge/cli -> @inquirer/prompts -> @inquirer/editor -> external-editor -> tmp

This appears to be a developer/packaging-surface issue rather than a live Bun service runtime issue, but it is still present in the repository lockfile and should be upgraded.

Recommended remediation

Bump the root override from tmp ^0.2.5 to tmp ^0.2.6 or newer.
Refresh the Bun lockfile and verify the desktop forge dependency chain still resolves cleanly.
Re-run bun audit after the lockfile update.

Validation used in triage

bun audit --json
bun why tmp
OSV query for tmp@0.2.5

Source links

## Summary New active unaddressed high-severity CVE detected in the current Bun lockfile. Counters for this run: - `unaddressed critical CVEs: 0` - `unaddressed medium/low CVEs: 0` - `unaddressed total CVEs: 1` ## Finding - CVE: [CVE-2026-44705](https://nvd.nist.gov/vuln/detail/CVE-2026-44705) - Advisory: [GHSA-ph9p-34f9-6g65](https://github.com/advisories/GHSA-ph9p-34f9-6g65) - Affected component: `tmp@0.2.5` (resolved in `bun.lock`) - Severity: High (GitHub 7.7, GitLab/NVD mirror 7.5) - Vulnerable range: `<0.2.6` - Patched version: `0.2.6+` - Published: 2026-05-27 ## Project impact `tmp` is pulled in transitively through the Electron desktop packaging chain: `@islandflow/desktop -> @electron-forge/cli -> @inquirer/prompts -> @inquirer/editor -> external-editor -> tmp` This appears to be a developer/packaging-surface issue rather than a live Bun service runtime issue, but it is still present in the repository lockfile and should be upgraded. ## Recommended remediation - Bump the root override from `tmp ^0.2.5` to `tmp ^0.2.6` or newer. - Refresh the Bun lockfile and verify the desktop forge dependency chain still resolves cleanly. - Re-run `bun audit` after the lockfile update. ## Validation used in triage - `bun audit --json` - `bun why tmp` - OSV query for `tmp@0.2.5` ## Source links - https://github.com/advisories/GHSA-ph9p-34f9-6g65 - https://nvd.nist.gov/vuln/detail/CVE-2026-44705 - https://advisories.gitlab.com/npm/tmp/CVE-2026-44705/

dirtydishes commented

2026-06-01 17:37:18 +00:00

Author

Owner

Fixed on branch lavender/address-cve-tmp@0.2.5 in commit 8ede8cc.

What changed:

bumped the root tmp override from ^0.2.5 to ^0.2.6
refreshed bun.lock, which now resolves tmp@0.2.7
added turn documentation at docs/turns/2026-06-01-address-tmp-cve.html

Validation:

bun audit -> no vulnerabilities found
bun why tmp -> Electron Forge chain resolves to tmp@0.2.7
bun test -> 250 pass, 0 fail

Note: bun run check still fails on pre-existing Biome import-order diagnostics in unrelated files.

Fixed on branch `lavender/address-cve-tmp@0.2.5` in commit `8ede8cc`. What changed: - bumped the root `tmp` override from `^0.2.5` to `^0.2.6` - refreshed `bun.lock`, which now resolves `tmp@0.2.7` - added turn documentation at `docs/turns/2026-06-01-address-tmp-cve.html` Validation: - `bun audit` -> no vulnerabilities found - `bun why tmp` -> Electron Forge chain resolves to `tmp@0.2.7` - `bun test` -> 250 pass, 0 fail Note: `bun run check` still fails on pre-existing Biome import-order diagnostics in unrelated files.