dirtydishes/islandflow
1
0
Fork 0
Code Issues 2 Pull requests 4 Projects Releases Packages Wiki Activity Actions 1

[security][CVE-2026-44705] tmp #18

New issue
Open
opened 2026-06-02 13:19:14 +00:00 by dirtydishes · 0 comments
dirtydishes commented 2026-06-02 13:19:14 +00:00
Owner
Copy link

Summary

New unaddressed high-severity CVE in the locked dependency graph: tmp@0.2.5 via @electron-forge/cli -> @inquirer/prompts -> @inquirer/editor -> external-editor -> tmp.

  • CVE: CVE-2026-44705 (GHSA-ph9p-34f9-6g65)
  • Severity: High (CVSS 7.7 on GitHub Advisory)
  • Affected in-repo version: tmp@0.2.5 in bun.lock
  • Scope: build/packaging dependency for apps/desktop rather than deployed web/API runtime, but still present in the repo lockfile and relevant to local/CI packaging workflows

Impact

The advisory describes path traversal when untrusted data reaches tmp prefix, postfix, or dir options. In this repo the vulnerable package is not in the production service runtime; it is pulled in by the Electron Forge toolchain. The practical risk is highest in local packaging or CI environments that invoke the Forge CLI on attacker-influenced inputs or plugins.

Remediation

  • Upgrade the dependency chain so the lock resolves to tmp@0.2.6 or later
  • Likely path: bump the Electron Forge / Inquirer chain and refresh bun.lock
  • If immediate upgrade is blocked, avoid passing untrusted values into any tmp usage in packaging helpers and treat packaging jobs as sensitive CI workloads

Evidence

  • bun audit --json reports the advisory
  • bun why tmp resolves the path through @electron-forge/cli

Counters

  • unaddressed critical CVEs: 0
  • unaddressed medium/low CVEs: 0
  • unaddressed total CVEs: 1

Sources

## Summary New unaddressed high-severity CVE in the locked dependency graph: `tmp@0.2.5` via `@electron-forge/cli` -> `@inquirer/prompts` -> `@inquirer/editor` -> `external-editor` -> `tmp`. - CVE: `CVE-2026-44705` (`GHSA-ph9p-34f9-6g65`) - Severity: High (`CVSS 7.7` on GitHub Advisory) - Affected in-repo version: `tmp@0.2.5` in `bun.lock` - Scope: build/packaging dependency for `apps/desktop` rather than deployed web/API runtime, but still present in the repo lockfile and relevant to local/CI packaging workflows ## Impact The advisory describes path traversal when untrusted data reaches `tmp` `prefix`, `postfix`, or `dir` options. In this repo the vulnerable package is not in the production service runtime; it is pulled in by the Electron Forge toolchain. The practical risk is highest in local packaging or CI environments that invoke the Forge CLI on attacker-influenced inputs or plugins. ## Remediation - Upgrade the dependency chain so the lock resolves to `tmp@0.2.6` or later - Likely path: bump the Electron Forge / Inquirer chain and refresh `bun.lock` - If immediate upgrade is blocked, avoid passing untrusted values into any `tmp` usage in packaging helpers and treat packaging jobs as sensitive CI workloads ## Evidence - `bun audit --json` reports the advisory - `bun why tmp` resolves the path through `@electron-forge/cli` ## Counters - unaddressed critical CVEs: 0 - unaddressed medium/low CVEs: 0 - unaddressed total CVEs: 1 ## Sources - https://github.com/advisories/GHSA-ph9p-34f9-6g65 - https://nvd.nist.gov/vuln/detail/CVE-2026-44705
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
impeccable-live
lavender/address-cve-tmp@0.2.5
lavender/fix-pr-17-ci-errors
lavender/docs-pages
lavender/add-anatomy-reference-page
lavender/clarify-diffs-ssr-docs
lavender/all-quiet
frontend-redesign
lavender/options-tape-retention-bugs
lavender/forgejo-ci-baseline
sidebar-redesign
stabilize-live-api-memory
lavender/signal-only-option-persistence
server-load
lavender/codex-login-management-electron
lavender/flow-packet-persistence
alpaca-news
deployment-patch
nextjs-upgrade
newswire-support
native-deploy
codex/investigate-deploy-main-slowdown
codex/daily-bug-scan-20260518
lavender/load-alert-context-from-clickhouse
chore/deploy-allowlist-pr-packaging
codex/load-alert-context-from-clickhouse
lavender/polish-terminal-view
automation/daily-bug-scan-2026-05-17
__dolt_remote_info__
options-cache
deployment-overhaul
impeccable
synthetic-prints-done-right
electron
jetstream-retention-caps
codex/remove-deprecated-npm-deployment-path
deployment-fix
load-reduction
live-clickhouse-scrollgate
smart-money-classifiers
frontend-kitchen
t3code/fix-live-feed-lag
t3code/expand-options-tape-display
feature/live-retention
t3code/white-island-logo
frontend-experiments
revert-17-frontend-experiments
codex/update-readme.md-with-changes
lavender/frontend-refactor-bbg
lavender/frontend-refactor
codex/update-readme.md-with-recent-changes
codex/implement-candle-aggregation-service
codex/document-environment-configuration-thoroughly
codex/update-default-ingest-adapter-to-synthetic
bbg-test
codex/update-colors-to-use-custom-properties
codex/add-theme-context-and-dropdown
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: dirtydishes/islandflow#18
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?