fix tmp cve override #17

Open

dirtydishes wants to merge 7 commits from lavender/address-cve-tmp@0.2.5 into main

pull from: lavender/address-cve-tmp@0.2.5

merge into: dirtydishes:main

dirtydishes:main

dirtydishes:impeccable-live

dirtydishes:lavender/fix-pr-17-ci-errors

dirtydishes:lavender/docs-pages

dirtydishes:lavender/add-anatomy-reference-page

dirtydishes:lavender/clarify-diffs-ssr-docs

dirtydishes:lavender/all-quiet

dirtydishes:frontend-redesign

dirtydishes:lavender/options-tape-retention-bugs

dirtydishes:lavender/forgejo-ci-baseline

dirtydishes:sidebar-redesign

dirtydishes:stabilize-live-api-memory

dirtydishes:lavender/signal-only-option-persistence

dirtydishes:server-load

dirtydishes:lavender/codex-login-management-electron

dirtydishes:lavender/flow-packet-persistence

dirtydishes:alpaca-news

dirtydishes:deployment-patch

dirtydishes:nextjs-upgrade

dirtydishes:newswire-support

dirtydishes:native-deploy

dirtydishes:codex/investigate-deploy-main-slowdown

dirtydishes:codex/daily-bug-scan-20260518

dirtydishes:lavender/load-alert-context-from-clickhouse

dirtydishes:chore/deploy-allowlist-pr-packaging

dirtydishes:codex/load-alert-context-from-clickhouse

dirtydishes:lavender/polish-terminal-view

dirtydishes:automation/daily-bug-scan-2026-05-17

dirtydishes:__dolt_remote_info__

dirtydishes:options-cache

dirtydishes:deployment-overhaul

dirtydishes:impeccable

dirtydishes:synthetic-prints-done-right

dirtydishes:electron

dirtydishes:jetstream-retention-caps

dirtydishes:codex/remove-deprecated-npm-deployment-path

dirtydishes:deployment-fix

dirtydishes:load-reduction

dirtydishes:live-clickhouse-scrollgate

dirtydishes:smart-money-classifiers

dirtydishes:frontend-kitchen

dirtydishes:t3code/fix-live-feed-lag

dirtydishes:t3code/expand-options-tape-display

dirtydishes:feature/live-retention

dirtydishes:t3code/white-island-logo

dirtydishes:frontend-experiments

dirtydishes:revert-17-frontend-experiments

dirtydishes:codex/update-readme.md-with-changes

dirtydishes:lavender/frontend-refactor-bbg

dirtydishes:lavender/frontend-refactor

dirtydishes:codex/update-readme.md-with-recent-changes

dirtydishes:codex/implement-candle-aggregation-service

dirtydishes:codex/document-environment-configuration-thoroughly

dirtydishes:codex/update-default-ingest-adapter-to-synthetic

dirtydishes:bbg-test

dirtydishes:codex/update-colors-to-use-custom-properties

dirtydishes:codex/add-theme-context-and-dropdown

Conversation 0 Commits 7 Files changed 7 +1775 -3

dirtydishes commented 2026-06-01 17:37:43 +00:00

Owner

Copy link

summary

this addresses forgejo issue #15 by moving the root tmp override past the vulnerable range and refreshing the bun lockfile. bun now resolves the electron forge packaging chain to tmp@0.2.7.

validation

bun audit reports no vulnerabilities.

bun why tmp shows external-editor resolving to tmp@0.2.7 through the desktop packaging chain.

bun test passes with 250 tests.

bun run check still reports pre-existing biome organize-import diagnostics in unrelated files, so i left that churn out of this security fix and documented it in docs/turns/2026-06-01-address-tmp-cve.html.

intended effect for end users

users should not see any product behavior change. the intended effect is cleaner dependency posture for desktop packaging and developer installs: the repository lockfile no longer carries the flagged tmp@0.2.5 entry from cve-2026-44705.

## summary this addresses forgejo issue #15 by moving the root `tmp` override past the vulnerable range and refreshing the bun lockfile. bun now resolves the electron forge packaging chain to `tmp@0.2.7`. ## validation `bun audit` reports no vulnerabilities. `bun why tmp` shows `external-editor` resolving to `tmp@0.2.7` through the desktop packaging chain. `bun test` passes with 250 tests. `bun run check` still reports pre-existing biome organize-import diagnostics in unrelated files, so i left that churn out of this security fix and documented it in `docs/turns/2026-06-01-address-tmp-cve.html`. ## intended effect for end users users should not see any product behavior change. the intended effect is cleaner dependency posture for desktop packaging and developer installs: the repository lockfile no longer carries the flagged `tmp@0.2.5` entry from cve-2026-44705.

dirtydishes added 1 commit 2026-06-01 17:37:43 +00:00

fix tmp cve override 8ede8cc8f3

dirtydishes referenced this pull request 2026-06-01 17:37:54 +00:00

[security][CVE-2026-44705] tmp #15

dirtydishes added 1 commit 2026-06-02 01:05:52 +00:00

use dev routes types in next env 1bf113300d

dirtydishes added 1 commit 2026-06-02 01:14:33 +00:00

fix ci import path for next routes types a60619579b

dirtydishes added 1 commit 2026-06-02 13:06:27 +00:00

docs(general): add June 1 standup summary 12b9046894

dirtydishes added 1 commit 2026-06-03 16:31:55 +00:00

docs(general): add June 2 standup summary 1125471d8d

dirtydishes added 1 commit 2026-06-04 13:04:14 +00:00

docs(general): add June 3 standup summary a74cf7b034

dirtydishes added 1 commit 2026-06-06 03:35:51 +00:00

resolve pr 45 beads conflict 5782235e39

Some checks failed

Hide all checks

CI / Validate (pull_request) Failing after 1m7s

Details

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin lavender/address-cve-tmp@0.2.5:lavender/address-cve-tmp@0.2.5

git checkout lavender/address-cve-tmp@0.2.5

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git checkout main

git merge --no-ff lavender/address-cve-tmp@0.2.5

git checkout lavender/address-cve-tmp@0.2.5

git rebase main

git checkout main

git merge --ff-only lavender/address-cve-tmp@0.2.5

git checkout lavender/address-cve-tmp@0.2.5

git rebase main

git checkout main

git merge --no-ff lavender/address-cve-tmp@0.2.5

git checkout main

git merge --squash lavender/address-cve-tmp@0.2.5

git checkout main

git merge --ff-only lavender/address-cve-tmp@0.2.5

git checkout main

git merge lavender/address-cve-tmp@0.2.5

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: dirtydishes/islandflow#17

No description provided.