$ date
--- stdout ---
Sat May 30 07:02:03 UTC 2026
--- end ---
$ git clone file:///srv/git/unicodejs.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---
--- end ---
$ git config user.name libraryupgrader
--- stdout ---
--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---
--- end ---
$ git submodule update --init
--- stdout ---
--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.
--- end ---
$ git show-ref refs/heads/master
--- stdout ---
f8c7addc9cffa830ec967efc3750ffb118d5b84d refs/heads/master
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"tmp": {
"name": "tmp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119610,
"name": "tmp",
"dependency": "tmp",
"title": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape",
"url": "https://github.com/advisories/GHSA-ph9p-34f9-6g65",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.2.6"
}
],
"effects": [],
"range": "<0.2.6",
"nodes": [
"node_modules/tmp"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 570,
"optional": 1,
"peer": 1,
"peerOptional": 0,
"total": 570
}
}
}
--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
"auditReportVersion": 2,
"vulnerabilities": {
"tmp": {
"name": "tmp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119610,
"name": "tmp",
"dependency": "tmp",
"title": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape",
"url": "https://github.com/advisories/GHSA-ph9p-34f9-6g65",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.2.6"
}
],
"effects": [],
"range": "<0.2.6",
"nodes": [
"node_modules/tmp"
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 570,
"optional": 1,
"peer": 1,
"peerOptional": 0,
"total": 570
}
}
}
--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
--- stdout ---
{
"added": 570,
"removed": 0,
"changed": 0,
"audited": 571,
"funding": 101,
"audit": {
"auditReportVersion": 2,
"vulnerabilities": {
"tmp": {
"name": "tmp",
"severity": "high",
"isDirect": false,
"via": [
{
"source": 1119610,
"name": "tmp",
"dependency": "tmp",
"title": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape",
"url": "https://github.com/advisories/GHSA-ph9p-34f9-6g65",
"severity": "high",
"cwe": [
"CWE-22"
],
"cvss": {
"score": 0,
"vectorString": null
},
"range": "<0.2.6"
}
],
"effects": [],
"range": "<0.2.6",
"nodes": [
""
],
"fixAvailable": true
}
},
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 1,
"critical": 0,
"total": 1
},
"dependencies": {
"prod": 1,
"dev": 570,
"optional": 1,
"peer": 1,
"peerOptional": 0,
"total": 570
}
}
}
}
--- end ---
{"added": 570, "removed": 0, "changed": 0, "audited": 571, "funding": 101, "audit": {"auditReportVersion": 2, "vulnerabilities": {"tmp": {"name": "tmp", "severity": "high", "isDirect": false, "via": [{"source": 1119610, "name": "tmp", "dependency": "tmp", "title": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape", "url": "https://github.com/advisories/GHSA-ph9p-34f9-6g65", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.2.6"}], "effects": [], "range": "<0.2.6", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 0, "high": 1, "critical": 0, "total": 1}, "dependencies": {"prod": 1, "dev": 570, "optional": 1, "peer": 1, "peerOptional": 0, "total": 570}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 569 packages, and audited 570 packages in 5s
101 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN deprecated rimraf@2.7.1: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated glob@7.1.7: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---
added 569 packages, and audited 570 packages in 5s
101 packages are looking for funding
run `npm fund` for details
found 0 vulnerabilities
--- end ---
$ /usr/bin/npm test
--- stderr ---
[baseline-browser-mapping] The data in this module is over two months old. To ensure accurate Baseline data, please update: `npm i baseline-browser-mapping@latest -D`
--- stdout ---
> unicodejs@15.0.0 test
> grunt test
Running "set-meta" task
Running "set-dev" task
Running "clean:dist" (clean) task
>> 0 paths cleaned.
Running "concat:all" (concat) task
Running "copy:dist" (copy) task
Copied 3 files
Running "copy:licence" (copy) task
Copied 1 file
Running "eslint:all" (eslint) task
Running "karma:chrome" (karma) task
30 05 2026 07:02:26.765:INFO [karma-server]: Karma v6.4.4 server started at http://localhost:9876/
30 05 2026 07:02:26.767:INFO [launcher]: Launching browsers ChromeCustom with concurrency unlimited
30 05 2026 07:02:26.771:INFO [launcher]: Starting browser ChromeHeadless
30 05 2026 07:02:27.630:INFO [Chrome Headless 145.0.0.0 (Linux x86_64)]: Connected on socket ETZSlYXTfZxgECCGAAAB with id 3856878
.........
Chrome Headless 145.0.0.0 (Linux x86_64): Executed 9 of 9 SUCCESS (0.087 secs / 0.074 secs)
=============================== Coverage summary ===============================
Statements : 100% ( 248/248 )
Branches : 100% ( 238/238 )
Functions : 100% ( 27/27 )
Lines : 100% ( 246/246 )
================================================================================
Running "karma:firefox" (karma) task
30 05 2026 07:02:28.108:INFO [karma-server]: Karma v6.4.4 server started at http://localhost:9876/
30 05 2026 07:02:28.108:INFO [launcher]: Launching browsers FirefoxHeadless with concurrency unlimited
30 05 2026 07:02:28.110:INFO [launcher]: Starting browser FirefoxHeadless
30 05 2026 07:02:33.723:INFO [Firefox 140.0 (Linux x86_64)]: Connected on socket h7tLRXSTlNQr4dbiAAAD with id 61100701
.........
Firefox 140.0 (Linux x86_64): Executed 9 of 9 SUCCESS (0.164 secs / 0.124 secs)
=============================== Coverage summary ===============================
Statements : 100% ( 248/248 )
Branches : 100% ( 238/238 )
Functions : 100% ( 27/27 )
Lines : 100% ( 246/246 )
================================================================================
Done.
--- end ---
{"1119610": {"source": 1119610, "name": "tmp", "dependency": "tmp", "title": "tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape", "url": "https://github.com/advisories/GHSA-ph9p-34f9-6g65", "severity": "high", "cwe": ["CWE-22"], "cvss": {"score": 0, "vectorString": null}, "range": "<0.2.6"}}
Upgrading n:tmp from 0.2.4 -> 0.2.7
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json
--- end ---
build: Updating tmp to 0.2.7
* https://github.com/advisories/GHSA-ph9p-34f9-6g65
$ git add .
--- stdout ---
--- end ---
$ git commit -F /tmp/tmp7tis5k8t
--- stdout ---
[master 5cf410f] build: Updating tmp to 0.2.7
1 file changed, 6 insertions(+), 6 deletions(-)
--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 5cf410fc48ffe16e958fe905d4fab7f27ce0aba2 Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Sat, 30 May 2026 07:02:35 +0000
Subject: [PATCH] build: Updating tmp to 0.2.7
* https://github.com/advisories/GHSA-ph9p-34f9-6g65
Change-Id: If635f57205de02cb3d851d0ceb2ca3b1380cfd5b
---
package-lock.json | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 088de35..0801e36 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6238,9 +6238,9 @@
}
},
"node_modules/tmp": {
- "version": "0.2.4",
- "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.4.tgz",
- "integrity": "sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==",
+ "version": "0.2.7",
+ "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz",
+ "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==",
"dev": true,
"engines": {
"node": ">=14.14"
@@ -11326,9 +11326,9 @@
}
},
"tmp": {
- "version": "0.2.4",
- "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.4.tgz",
- "integrity": "sha512-UdiSoX6ypifLmrfQ/XfiawN6hkjSBpCjhKxxZcWlUUmoXLaCKQU0bx4HF/tdDK2uzRuchf1txGvrWBzYREssoQ==",
+ "version": "0.2.7",
+ "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz",
+ "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==",
"dev": true
},
"to-regex-range": {
--
2.47.3
--- end ---