🔒 [Security] Medium Severity: Symlink Attack vulnerability in tmp dependency

[BekahHW]

Security Vulnerability Report

Summary

A MEDIUM severity vulnerability has been identified in the tmp package (version 0.0.33) which is a transitive dependency through @inquirer/prompts.

Details

• Vulnerability: Symlink Attack
• Severity: Medium
• CVSS Score: 5.3
• Reference: SNYK-JS-TMP-11501554
• Affected Component: tmp@0.0.33

Dependency Chain

@inquirer/prompts@3.3.2 
  └── @inquirer/editor@1.2.15 
      └── external-editor@3.1.0 
          └── tmp@0.0.33 (vulnerable)

Root Cause Analysis

The vulnerability allows an attacker to perform a symlink attack through the dir parameter, potentially leading to arbitrary file writes on the system. This occurs when the tmp package creates temporary files/directories without properly validating symbolic links.

Recommended Fix

Option 1: Upgrade @inquirer/prompts (Recommended)

npm install @inquirer/prompts@7.0.0

Note: This is a major version upgrade and may introduce breaking changes. Please review the migration guide.

Option 2: Override the vulnerable dependency

Add to package.json:

"overrides": {
  "tmp": "^0.2.4"
}

Testing After Fix

1. Run npm install to update dependencies
2. Verify with npm audit
3. Run snyk test to confirm resolution
4. Execute test suite to ensure no breaking changes

Long-term Security Guidance

• Implement automated dependency scanning in CI/CD pipeline
• Set up Snyk monitoring for continuous vulnerability detection
• Establish a regular dependency update schedule (monthly recommended)
• Consider using npm audit as a pre-commit hook

Additional Context

This vulnerability was discovered during a security scan on 2025-11-04. While not critical, it should be addressed to maintain security best practices.

---

Generated with security scanning tools