From 69e3a358e328269563205efc754f68fd824aa4fd Mon Sep 17 00:00:00 2001 From: Eric Rozell Date: Tue, 30 Jun 2026 09:44:50 -0700 Subject: [PATCH] Bump tmp to 0.2.6 in yoga to fix GHSA-ph9p-34f9-6g65 Summary: Resolves the GitHub security alert for the `tmp` npm package in the facebook/yoga project (T273208322). `tmp` < 0.2.6 is affected by GHSA-ph9p-34f9-6g65 / CVE-2026-44705 (high severity). It is a transitive dependency pulled in via `selenium-webdriver` in the `gentest` workspace. This bumps the `tmp@^0.2.5` entry in `xplat/yoga/yarn.lock` from 0.2.5 to the fixed 0.2.6, updating the resolved URL and integrity hash. The `^0.2.5` range already satisfies 0.2.6, and tmp@0.2.6 has no dependencies, so no other lockfile entries change. Differential Revision: D110195946 --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 0780be3182..7cd110c810 100644 --- a/yarn.lock +++ b/yarn.lock @@ -10693,9 +10693,9 @@ tinyglobby@^0.2.11: picomatch "^4.0.3" tmp@^0.2.5: - version "0.2.5" - resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.5.tgz#b06bcd23f0f3c8357b426891726d16015abfd8f8" - integrity sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow== + version "0.2.6" + resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.6.tgz#0dfac10fd09a9319288eb0e8f0ed524604e183b4" + integrity sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA== tmpl@1.0.5: version "1.0.5"