Skip to content

Bump tmp and eslint#104

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-ce2a7fe9d8
Open

Bump tmp and eslint#104
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-ce2a7fe9d8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 27, 2026

Removes tmp. It's no longer used after updating ancestor dependency eslint. These dependencies need to be updated together.

Removes tmp

Updates eslint from 6.8.0 to 10.4.0

Release notes

Sourced from eslint's releases.

v10.4.0

Features

  • 1a45ec5 feat: check sequence expressions in for-direction (#20701) (kuldeep kumar)
  • 450040b feat: add includeIgnoreFile() to eslint/config (#20735) (Kirk Waiblinger)

Bug Fixes

  • 544c0c3 fix: escape code path DOT labels in debug output (#20866) (Pixel998)
  • 6799431 fix: update dependency @​eslint/config-helpers to ^0.6.0 (#20850) (renovate[bot])
  • f078fef fix: handle non-array deprecated rule replacements (#20825) (xbinaryx)

Documentation

  • 7e52a71 docs: add mention of @eslint-react/eslint-plugin (#20869) (Pavel)
  • db3468b docs: tweak wording around ambiguous CJS-vs-ESM config (#20865) (Kirk Waiblinger)
  • 9084664 docs: Update README (GitHub Actions Bot)
  • 9cc7387 docs: Update README (GitHub Actions Bot)
  • 3d7b548 docs: Update README (GitHub Actions Bot)
  • 191ec3c docs: Update README (GitHub Actions Bot)

Chores

  • 6616856 chore: upgrade knip to v6 (#20875) (Pixel998)
  • d13b084 ci: ensure auto-created PRs run CI (#20860) (lumir)
  • e71c7af ci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862) (dependabot[bot])
  • d84393d test: add unit tests for SuppressionsService.applySuppressions() (#20863) (kuldeep kumar)
  • 24db8cb test: add tests for SuppressionsService.save() (#20802) (kuldeep kumar)
  • 2ef0549 chore: update ecosystem plugins (#20857) (github-actions[bot])
  • a429791 ci: remove eslint-webpack-plugin types integration test (#20668) (Milos Djermanovic)
  • 9e37386 chore: replace recast with range approach in code-sample-minimizer (#20682) (Copilot)
  • 0dd1f9f test: disable warning for vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER (#20845) (Francesco Trotta)
  • 9da3c7b refactor: remove deprecated meta.language and migrate meta.dialects (#20716) (Pixel998)
  • 2099ed1 refactor: add meta.defaultOptions to more rules, enable linting (#20800) (xbinaryx)
  • f1dfbc9 chore: update ecosystem plugins (#20836) (github-actions[bot])
  • c759413 ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#20843) (dependabot[bot])
  • 5b817d6 test: add unit tests for lib/shared/ast-utils (#20838) (kuldeep kumar)
  • 1c13ae3 test: add unit tests for lib/shared/severity (#20835) (kuldeep kumar)

v10.3.0

Features

  • 379571a feat: add suggestions for no-unused-private-class-members (#20773) (sethamus)

Bug Fixes

  • b6ae5cf fix: handle unavailable require cache (#20812) (Simon Podlipsky)
  • 6fb3685 fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)

Documentation

  • 32cc7ab docs: fix typos in docs and comments (#20809) (Tanuj Kanti)
  • 7f47937 docs: Update README (GitHub Actions Bot)

Chores

  • d32235e ci: use pnpm in eslint-flat-config-utils type integration test (#20826) (Francesco Trotta)
  • 3ffb14e chore: clean up typos in comments and JSDoc (#20821) (Pixel998)

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by eslintbot, a new releaser for eslint since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump tmp and eslint
d637786 
Removes [tmp](https://github.com/raszi/node-tmp). It's no longer used after updating ancestor dependency [eslint](https://github.com/eslint/eslint). These dependencies need to be updated together.


Removes `tmp`

Updates `eslint` from 6.8.0 to 10.4.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v6.8.0...v10.4.0)

---
updated-dependencies:
- dependency-name: tmp
  dependency-version:
  dependency-type: indirect
- dependency-name: eslint
  dependency-version: 10.4.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 27, 2026
@dg-appsec-cxone
Copy link
Copy Markdown

dg-appsec-cxone commented May 27, 2026

Logo
Checkmarx One – Scan Summary & Detailse272872d-74af-45be-a545-1b81260d8131

New Issues (30) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 CRITICAL CVE-2026-4800 Npm-lodash-4.17.19
detailsRecommended version: 4.18.0
Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
2 HIGH CVE-2025-66418 Python-urllib3-1.26.20
detailsRecommended version: 2.7.0
Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
3 HIGH CVE-2025-66471 Python-urllib3-1.26.20
detailsRecommended version: 2.7.0
Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
4 HIGH CVE-2026-0775 Npm-npm-6.14.9
detailsRecommended version: 10.9.5
Description: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges ...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
5 HIGH CVE-2026-21441 Python-urllib3-1.26.20
detailsRecommended version: 2.7.0
Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
6 HIGH CVE-2026-23745 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
7 HIGH CVE-2026-24842 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
8 HIGH CVE-2026-26960 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: "tar.extract()" in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outsid...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
9 HIGH CVE-2026-26996 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
10 HIGH CVE-2026-27903 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
11 HIGH CVE-2026-27904 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
12 HIGH CVE-2026-27959 Npm-koa-2.13.0
detailsRecommended version: 2.16.4
Description: Koa is middleware for Node.js using ES2017 async functions. Prior to versions 2.16.4 and 3.x prior to 3.1.2, Koa's `ctx.hostname` API performs naiv...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
13 HIGH CVE-2026-29786 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extractio...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
14 HIGH CVE-2026-31802 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extr...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
15 HIGH CVE-2026-33671 Npm-picomatch-2.2.2
detailsRecommended version: 2.3.2
Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
16 HIGH CVE-2026-33750 Npm-brace-expansion-1.1.11
detailsRecommended version: 1.1.13
Description: The brace-expansion library generates arbitrary strings containing a common prefix and suffix. In versions prior to 1.1.13, 2.0.0 prior to 2.0.3, 3...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
17 HIGH CVE-2026-34043 Npm-serialize-javascript-3.1.0
detailsRecommended version: 7.0.5
Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
18 HIGH CVE-2026-44431 Python-urllib3-1.26.20
detailsRecommended version: 2.7.0
Description: When following cross-origin redirects for requests made using urllib3's high-level APIs, such as `urllib3.request()`, `PoolManager.request()`, and ...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
19 HIGH Cxf5fb15b0-6576 Npm-serialize-javascript-3.1.0
detailsRecommended version: 7.0.5
Description: serialize-javascript through 7.0.2 contains a code injection vulnerability due to improper escaping of "RegExp.flags" during serialization. Althoug...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
20 MEDIUM CVE-2025-13465 Npm-lodash-4.17.19
detailsRecommended version: 4.18.0
Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
21 MEDIUM CVE-2025-14505 Npm-elliptic-6.5.4
detailsDescription: The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
22 MEDIUM CVE-2025-15284 Npm-qs-6.5.2
detailsRecommended version: 6.5.4
Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
23 MEDIUM CVE-2026-23950 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar,a Tar for Node.js, has a race condition vulnerability in versions through 7.5.3. This is due to an incomplete handling of Unicode path col...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
24 MEDIUM CVE-2026-2739 Npm-bn.js-4.11.9
detailsRecommended version: 4.12.3
Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
25 MEDIUM CVE-2026-2739 Npm-bn.js-5.1.2
detailsRecommended version: 5.2.3
Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
26 MEDIUM CVE-2026-2739 Npm-bn.js-4.12.0
detailsRecommended version: 4.12.3
Description: This affects versions of the package bn.js prior to 4.12.3 and 5.x prior to 5.2.3. Calling "maskn(0)" on any BN instance corrupts the internal stat...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
27 MEDIUM CVE-2026-33672 Npm-picomatch-2.2.2
detailsRecommended version: 2.3.2
Description: Picomatch is a glob matcher written JavaScript. Versions prior to 2.3.2, 3.0.0 prior to 3.0.2 and 4.0.0 prior to 4.0.4, are vulnerable to a method ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
28 MEDIUM CVE-2026-40895 Npm-follow-redirects-1.12.1
detailsRecommended version: 1.16.0
Description: follow-redirects is an open source, drop-in replacement for Node's `http` and `https` modules that automatically follows redirects. Prior to versio...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
29 LOW CVE-2025-69873 Npm-ajv-6.12.6
detailsRecommended version: 6.14.0
Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
30 LOW CVE-2026-41988 Npm-uuid-3.3.3
detailsRecommended version: 14.0.0
Description: uuid prior to 14.0.0 can make unexpected writes when external output buffers are used, and the UUID version is 3, 5, or 6. In particular, UUID vers...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
Fixed Issues (3) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
HIGH CVE-2023-26115 Npm-word-wrap-1.2.3
MEDIUM CVE-2020-15366 Npm-ajv-6.12.2
MEDIUM CVE-2025-54798 Npm-tmp-0.0.33

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dg-appsec-cxone