multiple dependencies on vulnerable tmp package #7595
Description
Describe the bug
Installing netlify-cli results in the following npm audit output:
tmp <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/netlify-cli/node_modules/tmp
node_modules/netlify-cli/node_modules/tmp-promise/node_modules/tmp
external-editor >=1.1.1
Depends on vulnerable versions of tmp
node_modules/netlify-cli/node_modules/external-editor
inquirer 3.0.0 - 8.2.6 || 9.0.0 - 9.3.7
Depends on vulnerable versions of external-editor
node_modules/netlify-cli/node_modules/inquirer
netlify-cli >=2.0.0-alpha.1
Depends on vulnerable versions of inquirer
node_modules/netlify-cli
Workaround
Normally I would be able to override this in package.json with:
"overrides": {
"tmp": "0.2.4"
},However, the netlify-cli also erroneously includes npm-shrinkwrap.json which blocks that (#6731).
Steps to reproduce
- npm i netlify-cli
- npm audit
Configuration
No response
Environment
N/A