fix(build): pin tmp >=0.2.6 to resolve GHSA-ph9p-34f9-6g65

[WilliamBerryiii]

Pull Request

Description

Pin transitive tmp dependency to >=0.2.6 via the root overrides block to resolve GHSA-ph9p-34f9-6g65 (CWE-22 arbitrary path traversal via symbolic link, high severity).

tmp@0.2.5 is pulled in transitively through @vscode/vsce@3.9.1 → tmp. Rather than bumping @vscode/vsce (which could carry unrelated breaking changes), the fix uses the repository's existing overrides pattern alongside other pinned transitive deps (basic-ftp, undici, yauzl, etc.).

Related Issue(s)

Resolves the npm Security Audit CI failure observed on recent PRs (e.g. #1497).

Type of Change

Code & Documentation:

• Bug fix (non-breaking change fixing an issue)

Infrastructure & Configuration:

• Security configuration
• Dependency update

Testing

• npm install succeeded; package-lock.json regenerated.

• npm ls tmp --all shows the override is active:

  hve-core@3.3.101
  └─┬ @vscode/vsce@3.9.1
    └── tmp@0.2.6 overridden
  

• npm run audit:npm (audit-ci) → exit code 0, "Passed npm security audit", 0 vulnerabilities across all severities.

Checklist

Required Checks

• Files follow existing naming conventions
• Changes are backwards compatible

Security Considerations

• This PR does not contain any sensitive or NDA information
• Any new dependencies have been reviewed for security issues — tmp@0.2.6 is the upstream-published patched release for GHSA-ph9p-34f9-6g65.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/tmp	0.2.6	🟢 4	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Code-Review ⚠️ 1 Found 2/18 approved changesets -- score normalized to 1 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• package-lock.json

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.73%. Comparing base (d307f8a) to head (2c05c28).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1686      +/-   ##
==========================================
- Coverage   85.74%   85.73%   -0.01%     
==========================================
  Files          81       81              
  Lines       11783    11783              
==========================================
- Hits        10103    10102       -1     
- Misses       1680     1681       +1     

Flag	Coverage Δ
pester	84.02% <ø> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 1 file with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.