Security Alert: tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

[akaustav]

The version of the tmp package currently used in this repository is vulnerable to the security issue described in:

• CVE-2025-54798
• GHSA-52f5-9888-hmc6

And here's a sample outcome of the npm ls tmp command ran in a temporary project using v0.16.5 of apigeetool:

% npm ls tmp
project@1.0.0 /path/to/project
└─┬ apigeetool@0.16.5
  └── tmp@0.0.27

Please fix this.

[akaustav]

I believe the issue comes from the following line:

apigeetool-node/package.json

Line 38 in 76235a6

"tmp": "^0.0.27"

[akaustav]

@DinoChiesa - I have opened PR #256 with a potential fix for this issue. However, I have NOT tested the changes from that PR in a real Apigee Edge environment yet.

[akaustav]

@DinoChiesa - Gentle reminder about this issue. Please consider reviewing the associated PR #256.

[akaustav]

@DinoChiesa / Maintainers - Gentle reminder about this issue. Please consider reviewing the associated PR #256.

[akaustav]

Attempt number 3 to get the attention of the maintainers / @DinoChiesa to this issue.

[akaustav]

Attempt number 4 to get the attention of the maintainers / @DinoChiesa to this issue.