build(deps): bump tmp from 0.2.6 to 0.2.7 (#1399)

Co-authored-by: Fernandez Ludovic <ldez@users.noreply.github.com>

dist/post_run/index.js

@@ -29643,16 +29643,26 @@ function _generateTmpName(opts) {
 }
 
 /**
- * Check the prefix and postfix options
+ * Check the prefix, postfix, and template options.
+ *
+ * Rejects non-string inputs so that a non-string `.includes('..')` cannot evade
+ * the substring check (e.g. an Array whose `.includes('..')` is element-wise,
+ * or a duck-typed object with a custom `.includes`), and so that the value is
+ * not later coerced to a string with traversal sequences via `Array.prototype.join`
+ * or `path.join`.
  *
  * @private
  */
-function _assertPath(path) {
+function _assertPath(option, value) {
-  if (path.includes("..")) {
+  if (typeof value !== 'string') {
+    throw new Error(`${option} option must be a string, got "${typeof value}".`);
+  }
+
+  if (value.includes("..")) {
     throw new Error("Relative value not allowed");
   }
 
-  return path;
+  return value;
 }
 
 /**
@@ -29675,9 +29685,14 @@ function _assertOptionsBase(options) {
   }
 
   /* istanbul ignore else */
-  if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) {
+  if (!_isUndefined(options.template)) {
+    if (typeof options.template !== 'string') {
+      throw new Error(`template option must be a string, got "${typeof options.template}".`);
+    }
+    if (!options.template.match(TEMPLATE_PATTERN)) {
       throw new Error(`Invalid template, found "${options.template}".`);
     }
+  }
 
   /* istanbul ignore else */
   if ((!_isUndefined(options.tries) && isNaN(options.tries)) || options.tries < 0) {
@@ -29692,9 +29707,9 @@ function _assertOptionsBase(options) {
   options.unsafeCleanup = !!options.unsafeCleanup;
 
   // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
-  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
+  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath('prefix', options.prefix);
-  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
+  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath('postfix', options.postfix);
-  options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
+  options.template = _isUndefined(options.template) ? undefined : _assertPath('template', options.template);
 }
 
 /**

dist/run/index.js

@@ -29643,16 +29643,26 @@ function _generateTmpName(opts) {
 }
 
 /**
- * Check the prefix and postfix options
+ * Check the prefix, postfix, and template options.
+ *
+ * Rejects non-string inputs so that a non-string `.includes('..')` cannot evade
+ * the substring check (e.g. an Array whose `.includes('..')` is element-wise,
+ * or a duck-typed object with a custom `.includes`), and so that the value is
+ * not later coerced to a string with traversal sequences via `Array.prototype.join`
+ * or `path.join`.
  *
  * @private
  */
-function _assertPath(path) {
+function _assertPath(option, value) {
-  if (path.includes("..")) {
+  if (typeof value !== 'string') {
+    throw new Error(`${option} option must be a string, got "${typeof value}".`);
+  }
+
+  if (value.includes("..")) {
     throw new Error("Relative value not allowed");
   }
 
-  return path;
+  return value;
 }
 
 /**
@@ -29675,9 +29685,14 @@ function _assertOptionsBase(options) {
   }
 
   /* istanbul ignore else */
-  if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) {
+  if (!_isUndefined(options.template)) {
+    if (typeof options.template !== 'string') {
+      throw new Error(`template option must be a string, got "${typeof options.template}".`);
+    }
+    if (!options.template.match(TEMPLATE_PATTERN)) {
       throw new Error(`Invalid template, found "${options.template}".`);
     }
+  }
 
   /* istanbul ignore else */
   if ((!_isUndefined(options.tries) && isNaN(options.tries)) || options.tries < 0) {
@@ -29692,9 +29707,9 @@ function _assertOptionsBase(options) {
   options.unsafeCleanup = !!options.unsafeCleanup;
 
   // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
-  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);
+  options.prefix = _isUndefined(options.prefix) ? '' : _assertPath('prefix', options.prefix);
-  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);
+  options.postfix = _isUndefined(options.postfix) ? '' : _assertPath('postfix', options.postfix);
-  options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);
+  options.template = _isUndefined(options.template) ? undefined : _assertPath('template', options.template);
 }
 
 /**

package-lock.json

@@ -20,7 +20,7 @@
         "@types/semver": "^7.7.1",
         "@types/tmp": "^0.2.6",
         "@types/which": "^3.0.4",
-        "tmp": "^0.2.6",
+        "tmp": "^0.2.7",
         "which": "^7.0.0",
         "yaml": "^2.9.0"
       },
@@ -4038,9 +4038,9 @@
       }
     },
     "node_modules/tmp": {
-      "version": "0.2.6",
+      "version": "0.2.7",
-      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.6.tgz",
+      "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz",
-      "integrity": "sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==",
+      "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==",
       "license": "MIT",
       "engines": {
         "node": ">=14.14"

package.json

@@ -38,7 +38,7 @@
     "@types/semver": "^7.7.1",
     "@types/tmp": "^0.2.6",
     "@types/which": "^3.0.4",
-    "tmp": "^0.2.6",
+    "tmp": "^0.2.7",
     "which": "^7.0.0",
     "yaml": "^2.9.0"
   },