Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: raszi/node-tmp
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.2.4
Choose a base ref
...
head repository: raszi/node-tmp
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v0.2.7
Choose a head ref
  • 9 commits
  • 6 files changed
  • 4 contributors

Commits on Aug 7, 2025

  1. Fix use of tmp.dir() with dir option

    @fflorent
    fflorent committed Aug 7, 2025
    Configuration menu
    Copy the full SHA
    b847d2f View commit details
    Browse the repository at this point in the history

Commits on Aug 8, 2025

  1. Merge pull request #309 from fflorent/fix-tmp-dir-with-dir 

    Fix use of tmp.dir() with `dir` option
    @raszi
    raszi authored Aug 8, 2025
    Configuration menu
    Copy the full SHA
    e162828 View commit details
    Browse the repository at this point in the history

  2. Bump up the version

    @raszi
    raszi committed Aug 8, 2025
    Configuration menu
    Copy the full SHA
    3d2fe38 View commit details
    Browse the repository at this point in the history

Commits on Apr 6, 2026

  1. Check for relative values

    @raszi
    raszi committed Apr 6, 2026
    Configuration menu
    Copy the full SHA
    7ef2728 View commit details
    Browse the repository at this point in the history

Commits on May 12, 2026

  1. Merge commit from fork 

    fix: check for relative values
    @raszi
    raszi authored May 12, 2026
    Configuration menu
    Copy the full SHA
    efa4a06 View commit details
    Browse the repository at this point in the history

Commits on May 26, 2026

  1. Bump up the version

    @raszi
    raszi committed May 26, 2026
    Configuration menu
    Copy the full SHA
    41f7159 View commit details
    Browse the repository at this point in the history

Commits on May 27, 2026

  1. Reject non-string prefix, postfix, template 

    The relative-value guard in `_assertPath` calls `.includes('..')` directly on
the user-supplied value. When the value is an Array the call checks element
equality (so `['../escape'].includes('..')` is false), and when the value is
an arbitrary object a duck-typed `includes` returning false defeats the check
entirely. In both cases the value is subsequently coerced to a string by
`Array.prototype.join` inside `_generateTmpName` and by `path.join`, so a
non-string carrying `../` still produces a path that escapes `tmpdir`.

Tighten `_assertPath` to require `typeof value === 'string'` before the
substring check, and apply the same type check to `template` ahead of the
existing `XXXXXX` regex match (otherwise `match` throws on a non-string with
an unrelated error). The error includes the option name so consumers can see
which option was wrong.

Adds a `test/GHSA-7c78-jf6q-g5cm-test.js` that exercises array, duck-typed
object, and primitive (number) inputs across `fileSync`, `dirSync`, and
`tmpNameSync`, and asserts that valid string inputs are still accepted.

Signed-off-by: tonghuaroot <tonghuaroot@gmail.com>
    @tonghuaroot
    tonghuaroot committed May 27, 2026
    Configuration menu
    Copy the full SHA
    ce787f3 View commit details
    Browse the repository at this point in the history

  2. Merge commit from fork 

    Reject non-string prefix, postfix, template
    @raszi
    raszi authored May 27, 2026
    Configuration menu
    Copy the full SHA
    8f24f78 View commit details
    Browse the repository at this point in the history

  3. Bump up the version

    @raszi
    raszi committed May 27, 2026
    Configuration menu
    Copy the full SHA
    8ea1f37 View commit details
    Browse the repository at this point in the history
Loading