cz-cli icon indicating copy to clipboard operation
cz-cli copied to clipboard
verified publisher icon commitizen

tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

Open nbouvrette opened this issue 4 months ago • 2 comments

I found this old-ish issue which I suspect should be closed: https://github.com/commitizen/cz-cli/issues/883

But even the latest version of commitizen contains the following issue:

# npm audit report

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6

Caused by:

├─┬ [email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └── [email protected]

This issue is still not fixed as of now, even in the latest inquirer version. But once this issue is resolved, the inquire package should be updated: https://github.com/SBoudrias/Inquirer.js/issues/1802

nbouvrette avatar Aug 08 '25 04:08 nbouvrette

A new patch release of [email protected] is out removing the problematic dependency related to this issue.

You should be able to update the transitive dependency, might need npm audit if you have a lockfile present.

SBoudrias avatar Aug 09 '25 16:08 SBoudrias

npm audit can't be used because commitizen is pinned to the vulnerable version: https://github.com/commitizen/cz-cli/blob/master/package.json#L84

micchickenburger avatar Aug 11 '25 00:08 micchickenburger