From 52a4d8aa05d7e01136cca0cd28fbb8e1fae5a56f Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Wed, 10 Jun 2026 13:27:37 +0000
Subject: [PATCH 1/2] [Security][npm] Fix dependency vulnerabilities
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- **tmp** → 0.2.6 (CVE-2026-44705)

Resolves: SPO-1023

Co-Authored-By: Claude <noreply@anthropic.com>
---
 package-lock.json | 14 +++++++-------
 package.json      |  3 ++-
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 4ba11c8..a6fabb9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,15 +1,16 @@
 {
   "name": "@dittolive/react-ditto",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@dittolive/react-ditto",
-      "version": "1.0.0",
+      "version": "1.0.1",
       "license": "ISC",
       "dependencies": {
-        "lodash.isequal": "^4.5.0"
+        "lodash.isequal": "^4.5.0",
+        "tmp": "^0.2.6"
       },
       "devDependencies": {
         "@dittolive/ditto": "^5.0.0",
@@ -9588,10 +9589,9 @@
       }
     },
     "node_modules/tmp": {
-      "version": "0.2.5",
-      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz",
-      "integrity": "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==",
-      "dev": true,
+      "version": "0.2.6",
+      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.6.tgz",
+      "integrity": "sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==",
       "license": "MIT",
       "engines": {
         "node": ">=14.14"
diff --git a/package.json b/package.json
index 401acf9..d4cec59 100644
--- a/package.json
+++ b/package.json
@@ -39,7 +39,8 @@
     "url": "https://github.com/getditto/react-ditto.git"
   },
   "dependencies": {
-    "lodash.isequal": "^4.5.0"
+    "lodash.isequal": "^4.5.0",
+    "tmp": "^0.2.6"
   },
   "peerDependencies": {
     "@dittolive/ditto": "^5.0.0",

From f2fabaa3e87f3bad3f6a6cd886ba602fb09ea9b7 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Thu, 11 Jun 2026 00:09:35 +0000
Subject: [PATCH 2/2] Move tmp from dependencies to overrides

tmp is a Node-only package that is not imported anywhere in the source.
It is already brought in transitively via karma/karma-typescript dev
tooling, so listing it as a direct runtime dependency unnecessarily
pollutes the published dependency graph and can cause browser bundlers
to pull in Node-only modules for consumers.

https://claude.ai/code/session_01WQBhS3gh24pwaFgriCfpU8
---
 package.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index d4cec59..c2f9032 100644
--- a/package.json
+++ b/package.json
@@ -39,8 +39,7 @@
     "url": "https://github.com/getditto/react-ditto.git"
   },
   "dependencies": {
-    "lodash.isequal": "^4.5.0",
-    "tmp": "^0.2.6"
+    "lodash.isequal": "^4.5.0"
   },
   "peerDependencies": {
     "@dittolive/ditto": "^5.0.0",
@@ -55,7 +54,8 @@
     },
     "serialize-javascript": "7.0.4",
     "@babel/plugin-transform-modules-systemjs": "7.29.4",
-    "basic-ftp": "5.3.1"
+    "basic-ftp": "5.3.1",
+    "tmp": "^0.2.6"
   },
   "devDependencies": {
     "@dittolive/ditto": "^5.0.0",