fix: tmp allows arbitrary temporary file / directory write via symbolic link dir parameter

[mabdullahabaid]

Resolves Dependabot Alert 255 - fix: tmp allows arbitrary temporary file / directory write via symbolic link dir parameter.

Updated the dev-dependency zapier-platform-cli for it to depend on tmp 0.2.4 and also ran yarn up tmp --recursive to update the version of tmp elsewhere.

Not expecting any breaking changes to twenty-zapier since zapier-platform-cli is marked as a development dependency.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nestjs/​schematics@​10.2.3
	@​graphql-codegen/​client-preset@​4.3.3 ⏵ 4.8.3			+1	+2
	@​babel/​preset-react@​7.26.3 ⏵ 7.28.5
	@​babel/​preset-typescript@​7.24.7 ⏵ 7.28.5
	@​emotion/​is-prop-valid@​1.3.0 ⏵ 1.4.0	+1
	@​ai-sdk/​provider-utils@​3.0.9 ⏵ 3.0.15	+1		+1
	@​babel/​preset-env@​7.26.9 ⏵ 7.28.5			+1
	@​lingui/​format-po@​5.1.2 ⏵ 5.5.2			+3	-1
	@​linaria/​core@​6.2.0 ⏵ 6.3.0
	@​babel/​core@​7.28.0 ⏵ 7.28.5
	@​lingui/​conf@​5.1.2 ⏵ 5.5.2	+1		+3	+2
	@​emotion/​styled@​11.13.0 ⏵ 11.14.1	+1
	@​linaria/​react@​6.2.1 ⏵ 6.3.0	+1		+1
	@​blocknote/​react@​0.31.1 ⏵ 0.31.3	+1		+1	+2
	@​emotion/​react@​11.13.0 ⏵ 11.14.0	+1
	@​graphiql/​react@​0.29.0
	@​eslint/​js@​9.32.0 ⏵ 9.39.0			+10
	@​apollo/​client@​3.13.8 ⏵ 3.14.0	+1		+10	+2

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[greptile-apps]

Greptile Overview

Greptile Summary

This PR addresses Dependabot Alert 255 by upgrading zapier-platform-cli from 15.4.1 to 17.9.1, which transitively updates the vulnerable tmp package from 0.2.1/0.2.3 to 0.2.4/0.2.5. The vulnerability (CVE) allowed arbitrary temporary file/directory writes via symbolic link attacks on the dir parameter.

Key changes:

• Updated zapier-platform-cli dev dependency (major version bump from 15 to 17)
• Transitive update of tmp package to patched versions (0.2.4+)
• Multiple Babel and oclif dependencies updated as part of CLI upgrade

Impact:

• Security: Fixes critical symlink vulnerability in temporary file operations
• Runtime: No impact - zapier-platform-cli is a dev dependency used only for build/validation/deployment
• Compatibility: CLI v17 should work with existing zapier-platform-core v15.5.1, though version alignment may need verification

Confidence Score: 4/5

• This PR is safe to merge with minimal risk - it addresses a security vulnerability through a dev dependency upgrade
• Score reflects that the security fix is appropriate and the CLI is only a dev dependency (no runtime impact). One point deducted due to: (1) major version jump from CLI 15→17 without testing validation, and (2) potential metadata mismatch in convertedByCLIVersion field that may need verification
• Verify that packages/twenty-zapier/package.json line 13 (convertedByCLIVersion) metadata is correct, and test that CLI v17 commands (zapier validate, zapier push) work correctly with core v15

Important Files Changed

File Analysis

Filename	Score	Overview
packages/twenty-zapier/package.json	4/5	Updated zapier-platform-cli from 15.4.1 to 17.9.1 to pull in fixed tmp 0.2.4
yarn.lock	4/5	Updated lockfile with zapier-platform-cli 17.9.1 dependencies including tmp 0.2.4 and other transitive dependency updates

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant Package as twenty-zapier/package.json
    participant Yarn as yarn.lock
    participant CLI as zapier-platform-cli
    participant Tmp as tmp package
    
    Note over Dev,Tmp: Security Vulnerability Fix (CVE)
    
    Dev->>Package: Update zapier-platform-cli: 15.4.1 → 17.9.1
    Package->>Yarn: Run yarn install
    Yarn->>CLI: Resolve zapier-platform-cli@17.9.1
    CLI->>Tmp: Depend on tmp@0.2.4 (patched)
    Tmp-->>CLI: Provides secure temp file handling
    CLI-->>Yarn: Install with all dependencies
    Yarn->>Yarn: Update tmp: 0.2.1/0.2.3 → 0.2.4/0.2.5
    Yarn-->>Package: Lock dependencies
    
    Note over Tmp: tmp@0.2.4+ fixes symlink vulnerability<br/>Prevents arbitrary file/directory writes

Loading

Additional Comments (1)

1. packages/twenty-zapier/package.json, line 12-14 (link)

   style: Check if convertedByCLIVersion needs updating to match the new CLI version (17.9.1). The metadata still references the old 15.4.1 version

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[mabdullahabaid]

Dependabot Alert 78, Dependabot Alert 79 and Dependabot Alert 80 are also caused by zapier-platform-cli v15.

[mabdullahabaid]

Upon further research, we also need to update zapier-platform-core to v17x in order to resolve a couple critical alerts: Dependabot Alert 246 and Dependabot Alert 248.

zapier-platform-core below version 17 relies on form-data version 4.0.0 or 4.0.1, not 4.0.4.

I can move the update to both zapier-platform-core and zapier-platform-cli into a separate PR altogether to keep things together - let me know.

[charlesBochet]

@mabdullahabaid sorry for the slow review about this one, we should have merged it earlier, now we have a conflict in yarn.lock.

Could you make the change to v17 and make sure that we are still able to build and publish zapier extension? This was the main thing holding up from merging it, we were not sure that we will still be able to modify our zapier extension after your changes. @martmull can you give a hand here if needed?

[martmull]

lgtm