Bump tmp to 0.2.6 to resolve the two open tmp Dependabot alerts

[IEvangelist]

Bump tmp to 0.2.6 to resolve the two open tmp Dependabot alerts

Summary

Closes the two remaining open Dependabot alerts that are not covered by the existing dependabot group PR #17539. Both alerts are for the tmp package (< 0.2.6 path traversal, GHSA-ph9p-34f9-6g65).

Alerts addressed

File	Vuln range	Bumped to	Severity	Alert
extension/yarn.lock	< 0.2.6	0.2.6	high	#1174
playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json	< 0.2.6	0.2.7	high	#1175

How each manifest was updated

• extension — tmp is transitive (via @vscode/test-electron). Added "tmp": "0.2.6" to the existing resolutions block in package.json and patched the single tmp@^0.2.3 entry in yarn.lock to point at tmp-0.2.6.tgz (resolved + sha1 integrity validated against the configured pkgs.dev.azure.com/dnceng mirror). yarn install --frozen-lockfile succeeds.
• playground/AspireWithJavaScript/AspireJavaScript.Angular — tmp is transitive (via karma). Added "tmp": "^0.2.6" to the existing overrides block in package.json and regenerated package-lock.json via npm install --package-lock-only --legacy-peer-deps (matching the lockfile''s prior generation flags). Only the tmp resolved version + integrity changes; the new resolved version is 0.2.7 (highest matching ^0.2.6).

Risk notes for reviewers

• tmp is a dev-only transitive dependency in both manifests; not a direct dependency, not in a runtime/published artifact.
• Patch bump (0.2.5 → 0.2.6/0.2.7). No public API changes.
• Complements PR Bump the npm_and_yarn group across 10 directories with 6 updates #17539 (dependabot npm_and_yarn group), which addresses the other 32 open alerts (qs, ws, @nevware21/ts-utils, fast-uri, @babel/plugin-transform-modules-systemjs, next).

Validation

extension/yarn.lock:
  OK  tmp = 0.2.6 (expected >= 0.2.6)
  `yarn install --frozen-lockfile` ✅

playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json:
  OK  tmp = 0.2.7 (expected >= 0.2.6)
  `npm install --package-lock-only --legacy-peer-deps` ✅

[github-actions]

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17594

Or

• Run remotely in PowerShell:

iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17594"

[Copilot]

Pull request overview

Bumps the transitive tmp dependency to >= 0.2.6 in two manifests to close two open Dependabot alerts (GHSA-ph9p-34f9-6g65, path traversal). tmp is a dev-only transitive dep (via @vscode/vsce in the extension, via karma in the Angular playground); no source code uses it directly.

Changes:

• Pin tmp to 0.2.6 in extension/package.json resolutions and update extension/yarn.lock accordingly (resolved via the internal dnceng npm mirror).
• Add "tmp": "^0.2.6" to overrides in the Angular playground package.json and regenerate package-lock.json (resolves to 0.2.7).

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File	Description
extension/package.json	Adds tmp: 0.2.6 resolution pin.
extension/yarn.lock	Updates tmp entry to 0.2.6 via the dnceng feed.
playground/AspireWithJavaScript/AspireJavaScript.Angular/package.json	Adds tmp: ^0.2.6 override.
playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json	Updates resolved tmp to 0.2.7 from npmjs.org.

Files not reviewed (1)

• playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json: Language not supported

[github-actions]

❓ CLI E2E Tests unknown — 107 passed, 0 failed, 2 unknown (commit 0adc00b)

View all recordings

Status	Test	Recording	Job	Artifacts
✅	AddPackageInteractiveWhileAppHostRunningDetached	Recording	#78281409685	Logs
✅	AddPackageWhileAppHostRunningDetached	Recording	#78281409685	Logs
✅	AgentCommands_AllHelpOutputs_AreCorrect	Recording	#78281410114	Logs
✅	AgentInitCommand_DefaultSelection_InstallsDefaultSkills	Recording	#78281410114	Logs
✅	AgentInitCommand_MigratesDeprecatedConfig	Recording	#78281410114	Logs
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp	Recording	#78281410138	Logs
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp_DevLocalhost	Recording	#78281410138	Logs
✅	AgentMcpListStructuredLogsReturnsLogsFromStarterApp_Isolated	Recording	#78281410138	Logs
✅	AllPublishMethodsBuildDockerImages	Recording	#78281410003	Logs
✅	AspireAddAndStartWorkAgainstLegacyAppHostTs	Recording	#78281409448	Logs
✅	AspireAddPackageVersionToDirectoryPackagesProps	Recording	#78281409975	Logs
✅	AspireInitSingleFileAppHostRunsViaDotnetRunAppHost	Recording	#78281409857	Logs
✅	AspireInitWithExistingAppHostDirRecreatesMissingNuGetConfigAndPreservesFiles	Recording	#78281410000	Logs
❔	AspireInitWithSolutionFileGeneratesAppHostThatBuildsAgainstChannelHive	Recording	#78281410000	Logs
✅	AspireStartUpdatesStaleTypeScriptAppHostPath	Recording	#78281409955	Logs
✅	AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps	Recording	#78281409975	Logs
✅	AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent	Recording	#78281409975	Logs
✅	Banner_DisplayedOnFirstRun	Recording	#78281410128	Logs
✅	Banner_DisplayedWithExplicitFlag	Recording	#78281410128	Logs
✅	Banner_NotDisplayedWithNoLogoFlag	Recording	#78281410128	Logs
✅	CertificatesClean_RemovesCertificates	Recording	#78281409878	Logs
✅	CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate	Recording	#78281409878	Logs
✅	CertificatesTrust_WithUntrustedCert_TrustsCertificate	Recording	#78281409878	Logs
✅	ConfigSetGet_CreatesNestedJsonFormat	Recording	#78281409542	Logs
✅	CreateAndRunAspireStarterProject	Recording	#78281410074	Logs
✅	CreateAndRunAspireStarterProjectWithBundle	Recording	#78281409260	Logs
✅	CreateAndRunEmptyAppHostProject	Recording	#78281410067	Logs
✅	CreateAndRunJavaEmptyAppHostProject	Recording	#78281409344	Logs
✅	CreateAndRunJsReactProject	Recording	#78281410125	Logs
✅	CreateAndRunPythonReactProject	Recording	#78281409664	Logs
✅	CreateAndRunTypeScriptEmptyAppHostProject	Recording	#78281409946	Logs
✅	CreateAndRunTypeScriptStarterProject	Recording	#78281410137	Logs
✅	CreateJavaAppHostWithViteApp	Recording	#78281410147	Logs
✅	CreateTypeScriptAppHostWithViteApp_AllowsGuestAppPackageManagerToDiffer	Recording	#78281409719	Logs
✅	CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain	Recording	#78281409719	Logs
✅	DashboardRunWithAgentMcpListTracesReturnsNoTraces	Recording	#78281409613	Logs
✅	DashboardRunWithAgentMcpListTracesReturnsNoTraces_DevLocalhost	Recording	#78281409613	Logs
✅	DashboardRunWithOtelTracesReturnsNoTraces	Recording	#78281409613	Logs
✅	DashboardRunWithOtelTracesReturnsNoTraces_DevLocalhost	Recording	#78281409613	Logs
✅	DeployK8sBasicApiService	Recording	#78281409337	Logs
✅	DeployK8sWithExternalHelmChart	Recording	#78281410126	Logs
✅	DeployK8sWithGarnet	Recording	#78281409737	Logs
✅	DeployK8sWithMongoDB	Recording	#78281409895	Logs
✅	DeployK8sWithMySql	Recording	#78281409560	Logs
✅	DeployK8sWithPostgres	Recording	#78281409809	Logs
✅	DeployK8sWithRabbitMQ	Recording	#78281409792	Logs
✅	DeployK8sWithRedis	Recording	#78281409865	Logs
✅	DeployK8sWithSqlServer	Recording	#78281410007	Logs
✅	DeployK8sWithValkey	Recording	#78281410073	Logs
✅	DeployTypeScriptAppToKubernetes	Recording	#78281410229	Logs
✅	DescribeCommandResolvesReplicaNames	Recording	#78281409707	Logs
✅	DescribeCommandShowsRunningResources	Recording	#78281409707	Logs
✅	DetachFormatJsonProducesValidJson	Recording	#78281409958	Logs
✅	DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance	Recording	#78281409958	Logs
✅	DoPublishAndDeployListStepsWork	Recording	#78281409381	Logs
✅	DocsCommand_RendersInteractiveMarkdownFromLocalSource	Recording	#78281409625	Logs
✅	DoctorCommand_DetectsDeprecatedAgentConfig	Recording	#78281410114	Logs
✅	DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain	Recording	#78281409908	Logs
✅	DoctorCommand_WithSslCertDir_ShowsTrusted	Recording	#78281409908	Logs
✅	DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted	Recording	#78281409908	Logs
✅	GatewayWithoutExternalEndpoint_FailsPublishWithGuidance	Recording	#78281409385	Logs
✅	GeneratedAspireDevScript_StartsWatchMode_WithConfiguredToolchain	Recording	#78281409719	Logs
✅	GlobalMigration_HandlesCommentsAndTrailingCommas	Recording	#78281409542	Logs
✅	GlobalMigration_HandlesMalformedLegacyJson	Recording	#78281409542	Logs
✅	GlobalMigration_PreservesAllValueTypes	Recording	#78281409542	Logs
✅	GlobalMigration_SkipsWhenNewConfigExists	Recording	#78281409542	Logs
✅	GlobalSettings_MigratedFromLegacyFormat	Recording	#78281409542	Logs
✅	IngressWithoutExternalEndpoint_FailsPublishWithGuidance	Recording	#78281409385	Logs
✅	InitTypeScriptAppHost_AugmentsExistingViteRepoInWorkspaceSubdirectory	Recording	#78281409719	Logs
✅	InteractiveCSharpInitCreatesExpectedFiles	Recording	#78281410019	Logs
✅	InvalidAppHostPathWithComments_IsHealedOnRun	Recording	#78281409941	Logs
✅	JavaScriptHostingApisRunFromTypeScriptAppHost	Recording	#78281410003	Logs
✅	LatestCliCanStartStableChannelAppHost	Recording	#78281410074	Logs
✅	LatestCliCanStartStableChannelTypeScriptAppHost	Recording	#78281410074	Logs
✅	LegacySettingsMigration_AdjustsRelativeAppHostPath	Recording	#78281409955	Logs
✅	LogsCommandShowsResourceLogs	Recording	#78281409611	Logs
✅	OtelLogsReturnsStructuredLogsFromStarterApp	Recording	#78281409581	Logs
✅	OtelLogsReturnsStructuredLogsFromStarterAppIsolated	Recording	#78281409581	Logs
✅	PsCommandListsRunningAppHost	Recording	#78281409522	Logs
✅	PsFormatJsonOutputsOnlyJsonToStdout	Recording	#78281409522	Logs
✅	PublishJavaScriptPatternsGeneratesExpectedDockerComposeArtifacts	Recording	#78281409696	Logs
✅	PublishWithConfigureEnvFileUpdatesEnvOutput	Recording	#78281409696	Logs
✅	PublishWithDockerComposeServiceCallbackSucceeds	Recording	#78281409696	Logs
✅	PublishWithoutOutputPathUsesAppHostDirectoryDefault	Recording	#78281409696	Logs
✅	ResourceCommand_FailedExecution_DisplaysAppHostLogPathAndLogContainsEntries	Recording	#78281409663	Logs
✅	ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput	Recording	#78281409663	Logs
✅	RestoreGeneratesSdkFiles	Recording	#78281410142	Logs
✅	RestoreGeneratesSdkFiles_WithConfiguredToolchain	Recording	#78281409433	Logs
✅	RestoreRefreshesGeneratedSdkAfterAddingIntegration	Recording	#78281409433	Logs
✅	RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes	Recording	#78281409682	Logs
✅	RunFromParentDirectory_UsesExistingConfigNearAppHost	Recording	#78281409309	Logs
✅	RunReportsSyntaxErrorsForDotNetAppHost	Recording	#78281410063	Logs
✅	RunReportsSyntaxErrorsForTypeScriptAppHost	Recording	#78281410063	Logs
✅	SecretCrudOnDotNetAppHost	Recording	#78281409286	Logs
✅	SecretCrudOnTypeScriptAppHost	Recording	#78281409501	Logs
✅	StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels	Recording	#78281409447	Logs
✅	StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets	Recording	#78281410289	Logs
✅	StartReportsSyntaxErrorsForDotNetAppHost	Recording	#78281410063	Logs
✅	StartReportsSyntaxErrorsForTypeScriptAppHost	Recording	#78281410063	Logs
✅	StopAllAppHostsFromAppHostDirectory	Recording	#78281410060	Logs
✅	StopJavaPolyglotAppHostUsingApphostDirectory	Recording	#78281410140	Logs
✅	StopNonInteractiveSingleAppHost	Recording	#78281410060	Logs
✅	StopTypeScriptPolyglotAppHostUsingApphostDirectory	Recording	#78281409516	Logs
✅	StopWithNoRunningAppHostExitsSuccessfully	Recording	#78281409685	Logs
✅	UnAwaitedChainsCompileWithAutoResolvePromises	Recording	#78281409433	Logs
❔	UpdateProjectChannelToStable_CSharpEmptyAppHost_PreservesAspireConfigChannel	Recording	#78281409803	Logs
✅	UpdateProjectChannelToStable_CSharpSingleFileInit_PreservesAspireConfigChannel	Recording	#78281409803	Logs
✅	UpdateProjectChannelToStable_TypeScriptSingleFileInit_PreservesAspireConfigChannel	Recording	#78281409803	Logs
✅	UpdateProjectChannelToStable_TypeScript_PreviewsStablePackagesAndPreservesChannel	Recording	#78281409803	Logs

---

_{📹 Recordings uploaded automatically from CI run #26571470386}

[IEvangelist]

Status check (Dependabot alert sweep across all 4 Aspire repos):

This PR + #17539 together close all 30 open Dependabot alerts on this repo. Coverage:

• Bump the npm_and_yarn group across 10 directories with 6 updates #17539 (npm_and_yarn group, dependabot): bumps next 15.5.18, qs 6.15.2, ws 8.20.1, @nevware21/ts-utils 0.14.0, fast-uri 3.1.2, @babel/plugin-transform-modules-systemjs 7.29.4 across 10 directories. All 99 checks green. Approved.
• This PR (Bump tmp to 0.2.6 to resolve the two open tmp Dependabot alerts #17594): closes the two remaining tmp alerts (Generate a new manifest for the dapr app #1174 in extension/yarn.lock via yarn resolutions, NATS Aspire container #1175 in the Angular playground lock via npm overrides) that the dependabot group bump couldn't pick up.

All 99 required checks are green on this PR as well, and it's in a BLOCKED mergeable state pending review. I'm the author so I can't self-approve - flagging here for a reviewer.

[aspire-repo-bot]

Pull request created: #1123

Generated by PR Documentation Check

[aspire-repo-bot]

📝 Documentation has been drafted in microsoft/aspire.dev#1123 targeting release/13.4.

Added a 🔒 Security updates section to the Aspire 13.4 what's-new page noting that the tmp npm package (transitive dev dependency in the VS Code extension and Angular playground sample) was updated to address GHSA-ph9p-34f9-6g65. The note clarifies this dependency is not present in any published Aspire NuGet packages.\n\nFiles modified:\n- src/frontend/src/content/docs/whats-new/aspire-13-4.mdx

Note

This draft PR needs human review before merging.