fix: Revert "fix: update `tmp` dependency to solve CVE-2026-44705" by robertolopezlopez · Pull Request #6875 · snyk/cli

robertolopezlopez · 2026-06-02T15:48:41Z

Pull Request Submission Checklist

Follows CONTRIBUTING guidelines
Commit messages
are release-note ready, emphasizing
what was changed, not how.
Includes detailed description of changes
Contains risk assessment (Low | Medium | High)
Highlights breaking API changes (if applicable)
Links to automated tests covering new functionality
Includes manual testing instructions (if necessary)
Updates relevant GitBook documentation (PR link: ___)
Includes product update to be announced in the next stable release notes

What does this PR do?

Revert the override from previous merge.
Upgrade production packages which depend on the outdated tmp package
Added an override for snyk-python-plugin which installs tmp@0.2.6 in case this dependency is affected by CVE-2026-44705

Where should the reviewer start?

How should this be manually tested?

What's the product update that needs to be communicated to CLI users?

snyk-io · 2026-06-02T15:49:09Z

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

CatalinSnyk · 2026-06-03T11:09:37Z

@robertolopezlopez Why is this diff so big? Did you use a different NodeJs version?

CI also has a few weird failures, I think something is not right.

Why is this diff so big? Did you use a different NodeJs version?

v22.22.2 as stated in .nvmrc. I have not added anything package-lock.json apart from what npm install did.

CI also has a few weird failures

Yes, I have seen those strange errors and do not really understand the reason :-/

The big diff may be related to the version bump for @snyk/snyk-hex-plugin and snyk-go-plugin

Could you try to regenerate this again? I did the same changes locally to the package.json file and I got this diff for the lockfile, which I think makes more sense. The +7.8k -5.5k sounds too big for just 2-3 dependency changes (also most of them are minor updates).

Weird enough, I applied the same commands once again and got much smaller diff. Still, not the +46-10 you got

So what are you doing exactly? Which node.js version? Thanks

Checkout main

Apply the same changes to package.json as this PR

npm i

The diff I get is +46 -10, and it makes sense - just minor bumps and 3 lockfile additions for some dev dependencies that were being overwritten previously.

robertolopezlopez · 2026-06-03T11:34:08Z

    "minimatch@^3.1.2": "3.1.3",
-    "tmp": "0.2.7",
+    "snyk-python-plugin": {
+      "tmp@<0.2.6": "^0.2.6"


I am adding this override here until snyk-python-plugin will be fixed upstream

robertolopezlopez · 2026-06-04T06:32:31Z

ok

…

On Wed, Jun 3, 2026 at 4:31 PM CatalinSnyk ***@***.***> wrote: ***@***.**** commented on this pull request. ------------------------------ On package-lock.json <#6875 (comment)>: Could you try to regenerate this again? I did the same changes locally to the package.json file and I got this diff for the lockfile, which I think makes more sense. The +7.8k -5.5k sounds too big for just 2-3 dependency changes (also most of them are minor updates). image.png (view on web) <https://github.com/user-attachments/assets/04bb3fab-2957-417f-bbf8-1b49772d25c4> — Reply to this email directly, view it on GitHub <#6875?email_source=notifications&email_token=AALS624T7V4NCV4XFG2NI2T46AZETA5CNFSNUABKM5UWIORPF5TWS5BNNB2WEL2QOVWGYUTFOF2WK43UKJSXM2LFO4XTINBRHE2TAOJVHA42M4TFMFZW63VHNVSW45DJN5XKKZLWMVXHJLDGN5XXIZLSL5RWY2LDNM#discussion_r3349292834>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AALS623LT25MC5B3KAW35OL46AZETAVCNFSM6AAAAACZXMA6N2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DIMJZGUYDSNJYHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

snyk-pr-review-bot · 2026-06-04T14:38:43Z