From b1cc800056e91d47bc6e1454f4fe6a2f2e482933 Mon Sep 17 00:00:00 2001 From: szdziedzic Date: Mon, 6 Jul 2026 19:19:54 +0200 Subject: [PATCH 1/2] fix tmp dependabot alert --- yarn.lock | 86 ++++++++++++++----------------------------------------- 1 file changed, 21 insertions(+), 65 deletions(-) diff --git a/yarn.lock b/yarn.lock index ab26a7732f..1e823fdc3d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -4582,7 +4582,7 @@ __metadata: languageName: node linkType: hard -"@inquirer/external-editor@npm:^1.0.3": +"@inquirer/external-editor@npm:^1.0.0, @inquirer/external-editor@npm:^1.0.3": version: 1.0.3 resolution: "@inquirer/external-editor@npm:1.0.3" dependencies: @@ -9731,13 +9731,6 @@ __metadata: languageName: node linkType: hard -"chardet@npm:^0.7.0": - version: 0.7.0 - resolution: "chardet@npm:0.7.0" - checksum: 10c0/96e4731b9ec8050cbb56ab684e8c48d6c33f7826b755802d14e3ebfdc51c57afeece3ea39bc6b09acc359e4363525388b915e16640c1378053820f5e70d0f27d - languageName: node - linkType: hard - "chardet@npm:^2.1.1": version: 2.1.1 resolution: "chardet@npm:2.1.1" @@ -11610,17 +11603,6 @@ __metadata: languageName: node linkType: hard -"external-editor@npm:^3.0.3": - version: 3.1.0 - resolution: "external-editor@npm:3.1.0" - dependencies: - chardet: "npm:^0.7.0" - iconv-lite: "npm:^0.4.24" - tmp: "npm:^0.0.33" - checksum: 10c0/c98f1ba3efdfa3c561db4447ff366a6adb5c1e2581462522c56a18bf90dfe4da382f9cd1feee3e330108c3595a854b218272539f311ba1b3298f841eb0fbf339 - languageName: node - linkType: hard - "extract-files@npm:^11.0.0": version: 11.0.0 resolution: "extract-files@npm:11.0.0" @@ -13087,15 +13069,6 @@ __metadata: languageName: node linkType: hard -"iconv-lite@npm:^0.4.24, iconv-lite@npm:~0.4.24": - version: 0.4.24 - resolution: "iconv-lite@npm:0.4.24" - dependencies: - safer-buffer: "npm:>= 2.1.2 < 3" - checksum: 10c0/c6886a24cc00f2a059767440ec1bc00d334a89f250db8e0f7feb4961c8727118457e27c495ba94d082e51d3baca378726cd110aaf7ded8b9bbfd6a44760cf1d4 - languageName: node - linkType: hard - "iconv-lite@npm:^0.6.2": version: 0.6.2 resolution: "iconv-lite@npm:0.6.2" @@ -13114,6 +13087,15 @@ __metadata: languageName: node linkType: hard +"iconv-lite@npm:~0.4.24": + version: 0.4.24 + resolution: "iconv-lite@npm:0.4.24" + dependencies: + safer-buffer: "npm:>= 2.1.2 < 3" + checksum: 10c0/c6886a24cc00f2a059767440ec1bc00d334a89f250db8e0f7feb4961c8727118457e27c495ba94d082e51d3baca378726cd110aaf7ded8b9bbfd6a44760cf1d4 + languageName: node + linkType: hard + "ieee754@npm:^1.1.13, ieee754@npm:^1.2.1": version: 1.2.1 resolution: "ieee754@npm:1.2.1" @@ -13327,24 +13309,25 @@ __metadata: linkType: hard "inquirer@npm:^8.0.0": - version: 8.2.0 - resolution: "inquirer@npm:8.2.0" + version: 8.2.7 + resolution: "inquirer@npm:8.2.7" dependencies: + "@inquirer/external-editor": "npm:^1.0.0" ansi-escapes: "npm:^4.2.1" chalk: "npm:^4.1.1" cli-cursor: "npm:^3.1.0" cli-width: "npm:^3.0.0" - external-editor: "npm:^3.0.3" figures: "npm:^3.0.0" lodash: "npm:^4.17.21" mute-stream: "npm:0.0.8" ora: "npm:^5.4.1" run-async: "npm:^2.4.0" - rxjs: "npm:^7.2.0" + rxjs: "npm:^7.5.5" string-width: "npm:^4.1.0" strip-ansi: "npm:^6.0.0" through: "npm:^2.3.6" - checksum: 10c0/efdd5e40c70fb66a8f87b39d75130cd4d1f8097338c73720eb254e3b66a36a17e136fdad6830aec22a2fdaaf426f0068cb31093ee8b8b60154177babd6c6ea2f + wrap-ansi: "npm:^6.0.1" + checksum: 10c0/75aa594231769d292102615da3199320359bfb566e96dae0f89a5773a18e21c676709d9f5a9fb1372f7d2cf25c551a4efe53691ff436d941f95336931777c15d languageName: node linkType: hard @@ -16765,13 +16748,6 @@ __metadata: languageName: node linkType: hard -"os-tmpdir@npm:~1.0.2": - version: 1.0.2 - resolution: "os-tmpdir@npm:1.0.2" - checksum: 10c0/f438450224f8e2687605a8dd318f0db694b6293c5d835ae509a69e97c8de38b6994645337e5577f5001115470414638978cc49da1cdcc25106dad8738dc69990 - languageName: node - linkType: hard - "oxfmt@npm:0.28.0": version: 0.28.0 resolution: "oxfmt@npm:0.28.0" @@ -18182,7 +18158,7 @@ __metadata: languageName: node linkType: hard -"rimraf@npm:3.0.2, rimraf@npm:^3.0.0": +"rimraf@npm:3.0.2": version: 3.0.2 resolution: "rimraf@npm:3.0.2" dependencies: @@ -18247,15 +18223,6 @@ __metadata: languageName: node linkType: hard -"rxjs@npm:^7.2.0": - version: 7.5.2 - resolution: "rxjs@npm:7.5.2" - dependencies: - tslib: "npm:^2.1.0" - checksum: 10c0/6d038a373130a301fef28acd14633ac6bcf7247c56c71e11e687854a594263bb96af045bf11a4bff15b152385e73ac3e31fbe516378a4bcf5aae1d67e3b847eb - languageName: node - linkType: hard - "rxjs@npm:^7.5.5": version: 7.5.6 resolution: "rxjs@npm:7.5.6" @@ -19435,21 +19402,10 @@ __metadata: languageName: node linkType: hard -"tmp@npm:^0.0.33": - version: 0.0.33 - resolution: "tmp@npm:0.0.33" - dependencies: - os-tmpdir: "npm:~1.0.2" - checksum: 10c0/69863947b8c29cabad43fe0ce65cec5bb4b481d15d4b4b21e036b060b3edbf3bc7a5541de1bacb437bb3f7c4538f669752627fdf9b4aaf034cebd172ba373408 - languageName: node - linkType: hard - "tmp@npm:~0.2.1": - version: 0.2.1 - resolution: "tmp@npm:0.2.1" - dependencies: - rimraf: "npm:^3.0.0" - checksum: 10c0/67607aa012059c9ce697bee820ee51bc0f39b29a8766def4f92d3f764d67c7cf9205d537d24e0cb1ce9685c40d4c628ead010910118ea18348666b5c46ed9123 + version: 0.2.7 + resolution: "tmp@npm:0.2.7" + checksum: 10c0/59eb55584f2f07210d3231b6a1f6b5c2b9794d8a7b509c8ee867ed2acad6d2245ee2448b7937b676ffbff3155a70077edde8a69f9d7cf0f90c86a62e8910c357 languageName: node linkType: hard @@ -20596,7 +20552,7 @@ __metadata: languageName: node linkType: hard -"wrap-ansi@npm:^6.2.0": +"wrap-ansi@npm:^6.0.1, wrap-ansi@npm:^6.2.0": version: 6.2.0 resolution: "wrap-ansi@npm:6.2.0" dependencies: From 70b218e4e49c27ecd5dfd39439fbc4ac800f0c6a Mon Sep 17 00:00:00 2001 From: szdziedzic Date: Mon, 6 Jul 2026 19:20:52 +0200 Subject: [PATCH 2/2] add changelog for tmp security fix --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eb45a885a6..428a2f4b7c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ This is the log of notable changes to EAS CLI and related packages. ### 🧹 Chores +- [eas-cli] Bump `tmp` to `0.2.7` to resolve [Dependabot alert 423](https://github.com/expo/eas-cli/security/dependabot/423). ([#3965](https://github.com/expo/eas-cli/pull/3965) by [@szdziedzic](https://github.com/szdziedzic)) - [worker] Bump `ws` to patched releases to resolve [Dependabot alert 462](https://github.com/expo/eas-cli/security/dependabot/462). ([#3963](https://github.com/expo/eas-cli/pull/3963) by [@szdziedzic](https://github.com/szdziedzic)) - [eas-cli] Bump `sigstore` to `4.1.1` to resolve [Dependabot alert 475](https://github.com/expo/eas-cli/security/dependabot/475). ([#3961](https://github.com/expo/eas-cli/pull/3961) by [@szdziedzic](https://github.com/szdziedzic)) - [eas-cli] Bump `axios` to patched releases to resolve [Dependabot alert 439](https://github.com/expo/eas-cli/security/dependabot/439). ([#3964](https://github.com/expo/eas-cli/pull/3964) by [@szdziedzic](https://github.com/szdziedzic))