Skip to content

Fix npm security vulnerabilities#96

Merged
Alyssa Evans (alycda) merged 3 commits into
masterfrom
security/batch-1781097955-master
Jun 11, 2026
Merged

Fix npm security vulnerabilities#96
Alyssa Evans (alycda) merged 3 commits into
masterfrom
security/batch-1781097955-master

Conversation

@ditto-integrations

@ditto-integrations ditto-integrations commented Jun 10, 2026

Copy link
Copy Markdown

Summary

Resolves: SPO-1023

Workflow run

Note: Target versions are sourced from Tines and may not always
reflect the latest or most appropriate release (e.g. a version may
be deprecated upstream). Please verify that the resolved versions
in lockfiles are suitable.

Test plan

  • CI passes
  • No new high/critical vulnerabilities in affected lockfiles
  • Affected SDK/component builds successfully

Generated by Tines + Claude Code

@github-actions @claude
[Security][npm] Fix dependency vulnerabilities
52a4d8a 
- **tmp** → 0.2.6 (CVE-2026-44705)

Resolves: SPO-1023

Co-Authored-By: Claude <noreply@anthropic.com>
Copilot AI reviewed Jun 10, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to remediate an npm security advisory by updating the tmp package to 0.2.6 (CVE-2026-44705) and aligning the lockfile accordingly for @dittolive/react-ditto.

Changes:

  • Add tmp@^0.2.6 to top-level dependencies in package.json.
  • Update package-lock.json to resolve tmp to 0.2.6 and reflect the updated root package version metadata.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds tmp as a direct dependency (intended to address the vulnerability).
package-lock.json Updates resolved tmp version to 0.2.6 and updates root package metadata in the lockfile.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread package.json
Claude (claude) and others added 2 commits June 11, 2026 00:09
@claude
Move tmp from dependencies to overrides
f2fabaa 
tmp is a Node-only package that is not imported anywhere in the source.
It is already brought in transitively via karma/karma-typescript dev
tooling, so listing it as a direct runtime dependency unnecessarily
pollutes the published dependency graph and can cause browser bundlers
to pull in Node-only modules for consumers.

https://claude.ai/code/session_01WQBhS3gh24pwaFgriCfpU8
@alycda
Merge pull request #97 from getditto/claude/eloquent-albattani-upwd51
8ef4a6c 
Move tmp from dependencies to devDependencies
@alycda Alyssa Evans (alycda) merged commit 77a6962 into master Jun 11, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@alycda Alyssa Evans (alycda) alycda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ditto-integrations @alycda @claude