From 581fbf4b80ad464673ffe23f611e3ad391d0321e Mon Sep 17 00:00:00 2001
From: Igor Menkov <imenkov@microsoft.com>
Date: Fri, 12 Jun 2026 14:34:00 +0200
Subject: [PATCH] Fix CVE-2026-44705: bump tmp from ^0.2.4 to ^0.2.6

Resolves GHSA-ph9p-34f9-6g65 (Path Traversal via unsanitized
prefix/postfix, CWE-22, high). Installed version goes from 0.2.5
to 0.2.7 (current latest in the 0.2.x line); no API surface
changes between these versions and `tmp` has no call sites in
this repo (declared-but-unused dep), so no source edits required.

S360-Run-Id: 495d2f2c-025e-4d09-ad47-bf5a23bad72f
S360-KPI: SFI-ES5.2
S360-Skill: dependabot:dependency-update-orchestrator
S360-Arm: dedicated_skill
S360-Action-Items: 928b7015-db58-41a3-94ea-ab73c7bb9f4d:17027a63-3844-47e7-858a-baccf93ba52e
---
 package-lock.json | 14 +++++++-------
 package.json      |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 8acc9617..0921171d 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -26,7 +26,7 @@
         "prompt": "^1.3.0",
         "read": "^1.0.6",
         "shelljs": "^0.10.0",
-        "tmp": "^0.2.4",
+        "tmp": "^0.2.6",
         "tracer": "0.7.4",
         "util.promisify": "^1.0.0",
         "uuid": "^13.0.0",
@@ -3990,9 +3990,9 @@
       }
     },
     "node_modules/tmp": {
-      "version": "0.2.5",
-      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/tmp/-/tmp-0.2.5.tgz",
-      "integrity": "sha1-sGvNI/DzyDV7QmiRcm0WAVq/2Pg=",
+      "version": "0.2.7",
+      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/tmp/-/tmp-0.2.7.tgz",
+      "integrity": "sha1-JvTbEdFgHOgBLcuKeY7OHAapkFk=",
       "license": "MIT",
       "engines": {
         "node": ">=14.14"
@@ -7042,9 +7042,9 @@
       "integrity": "sha1-yWih5VWa2VUyJO92J7qzTjyu+Kg="
     },
     "tmp": {
-      "version": "0.2.5",
-      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/tmp/-/tmp-0.2.5.tgz",
-      "integrity": "sha1-sGvNI/DzyDV7QmiRcm0WAVq/2Pg="
+      "version": "0.2.7",
+      "resolved": "https://pkgs.dev.azure.com/mseng/PipelineTools/_packaging/PipelineTools_PublicPackages/npm/registry/tmp/-/tmp-0.2.7.tgz",
+      "integrity": "sha1-JvTbEdFgHOgBLcuKeY7OHAapkFk="
     },
     "to-regex-range": {
       "version": "5.0.1",
diff --git a/package.json b/package.json
index b2d5f412..f1db816c 100644
--- a/package.json
+++ b/package.json
@@ -58,7 +58,7 @@
     "prompt": "^1.3.0",
     "read": "^1.0.6",
     "shelljs": "^0.10.0",
-    "tmp": "^0.2.4",
+    "tmp": "^0.2.6",
     "tracer": "0.7.4",
     "util.promisify": "^1.0.0",
     "uuid": "^13.0.0",