From 8182aa34940a5c3d28dbb24ce802921d8aa7b434 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 28 May 2026 13:01:57 +0200
Subject: [PATCH] build(deps): bump tmp from 0.2.5 to 0.2.6 (#1397)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>
---
 dist/post_run/index.js | 25 ++++++++++++++++++++-----
 dist/run/index.js      | 25 ++++++++++++++++++++-----
 package-lock.json      | 12 ++++++------
 package.json           |  2 +-
 4 files changed, 47 insertions(+), 17 deletions(-)

diff --git a/dist/post_run/index.js b/dist/post_run/index.js
index 28547fb..6adc770 100644
--- a/dist/post_run/index.js
+++ b/dist/post_run/index.js
@@ -29642,6 +29642,19 @@ function _generateTmpName(opts) {
   return path.join(tmpDir, opts.dir, name);
 }
 
+/**
+ * Check the prefix and postfix options
+ *
+ * @private
+ */
+function _assertPath(path) {
+  if (path.includes("..")) {
+    throw new Error("Relative value not allowed");
+  }
+
+  return path;
+}
+
 /**
  * Asserts and sanitizes the basic options.
  *
@@ -29656,8 +29669,9 @@ function _assertOptionsBase(options) {
 
     // must not fail on valid .<name> or ..<name> or similar such constructs
     const basename = path.basename(name);
-    if (basename === '..' || basename === '.' || basename !== name)
+    if (basename === '..' || basename === '.' || basename !== name) {
       throw new Error(`name option must not contain a path, found "${name}".`);
+    }
   }
 
   /* istanbul ignore else */
@@ -29678,8 +29692,9 @@ function _assertOptionsBase(options) {
   options.unsafeCleanup = !!options.unsafeCleanup;
 
   // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
-  options.prefix = _isUndefined(options.prefix) ? '' : options.prefix;
-  options.postfix = _isUndefined(options.postfix) ? '' : options.postfix;
+  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
+  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
+  options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
 }
 
 /**
@@ -29695,7 +29710,7 @@ function _getRelativePath(option, name, tmpDir, cb) {
 
     const relativePath = path.relative(tmpDir, resolvedPath);
 
-    if (!resolvedPath.startsWith(tmpDir)) {
+    if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
       return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`));
     }
 
@@ -29714,7 +29729,7 @@ function _getRelativePathSync(option, name, tmpDir) {
   const resolvedPath = _resolvePathSync(name, tmpDir);
   const relativePath = path.relative(tmpDir, resolvedPath);
 
-  if (!resolvedPath.startsWith(tmpDir)) {
+  if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
     throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`);
   }
 
diff --git a/dist/run/index.js b/dist/run/index.js
index cfaeba7..97ca668 100644
--- a/dist/run/index.js
+++ b/dist/run/index.js
@@ -29642,6 +29642,19 @@ function _generateTmpName(opts) {
   return path.join(tmpDir, opts.dir, name);
 }
 
+/**
+ * Check the prefix and postfix options
+ *
+ * @private
+ */
+function _assertPath(path) {
+  if (path.includes("..")) {
+    throw new Error("Relative value not allowed");
+  }
+
+  return path;
+}
+
 /**
  * Asserts and sanitizes the basic options.
  *
@@ -29656,8 +29669,9 @@ function _assertOptionsBase(options) {
 
     // must not fail on valid .<name> or ..<name> or similar such constructs
     const basename = path.basename(name);
-    if (basename === '..' || basename === '.' || basename !== name)
+    if (basename === '..' || basename === '.' || basename !== name) {
       throw new Error(`name option must not contain a path, found "${name}".`);
+    }
   }
 
   /* istanbul ignore else */
@@ -29678,8 +29692,9 @@ function _assertOptionsBase(options) {
   options.unsafeCleanup = !!options.unsafeCleanup;
 
   // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
-  options.prefix = _isUndefined(options.prefix) ? '' : options.prefix;
-  options.postfix = _isUndefined(options.postfix) ? '' : options.postfix;
+  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
+  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
+  options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
 }
 
 /**
@@ -29695,7 +29710,7 @@ function _getRelativePath(option, name, tmpDir, cb) {
 
     const relativePath = path.relative(tmpDir, resolvedPath);
 
-    if (!resolvedPath.startsWith(tmpDir)) {
+    if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
       return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`));
     }
 
@@ -29714,7 +29729,7 @@ function _getRelativePathSync(option, name, tmpDir) {
   const resolvedPath = _resolvePathSync(name, tmpDir);
   const relativePath = path.relative(tmpDir, resolvedPath);
 
-  if (!resolvedPath.startsWith(tmpDir)) {
+  if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
     throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`);
   }
 
diff --git a/package-lock.json b/package-lock.json
index 14fd217..1c2dea2 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "golanci-lint-action",
-  "version": "8.0.0",
+  "version": "9.2.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "golanci-lint-action",
-      "version": "8.0.0",
+      "version": "9.2.1",
       "license": "MIT",
       "dependencies": {
         "@actions/cache": "^5.0.3",
@@ -20,7 +20,7 @@
         "@types/semver": "^7.7.1",
         "@types/tmp": "^0.2.6",
         "@types/which": "^3.0.4",
-        "tmp": "^0.2.5",
+        "tmp": "^0.2.6",
         "which": "^7.0.0",
         "yaml": "^2.9.0"
       },
@@ -4038,9 +4038,9 @@
       }
     },
     "node_modules/tmp": {
-      "version": "0.2.5",
-      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.5.tgz",
-      "integrity": "sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==",
+      "version": "0.2.6",
+      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.6.tgz",
+      "integrity": "sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==",
       "license": "MIT",
       "engines": {
         "node": ">=14.14"
diff --git a/package.json b/package.json
index 5f8a8a2..223f0c8 100644
--- a/package.json
+++ b/package.json
@@ -38,7 +38,7 @@
     "@types/semver": "^7.7.1",
     "@types/tmp": "^0.2.6",
     "@types/which": "^3.0.4",
-    "tmp": "^0.2.5",
+    "tmp": "^0.2.6",
     "which": "^7.0.0",
     "yaml": "^2.9.0"
   },