node-tmp - Debian Package Tracker

general

source: node-tmp (main)
version: 0.2.7+dfsg+~0.2.6-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Utkarsh Gupta [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 0.2.1+dfsg-1
o-o-sec: 0.2.1+dfsg-1+deb11u1
oldstable: 0.2.2+dfsg+~0.2.3-1.1~deb12u1
stable: 0.2.2+dfsg+~0.2.3-1.1~deb13u1
testing: 0.2.7+dfsg+~0.2.6-1
unstable: 0.2.7+dfsg+~0.2.6-1

versioned links

0.2.1+dfsg-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.2.1+dfsg-1+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.2.2+dfsg+~0.2.3-1.1~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.2.2+dfsg+~0.2.3-1.1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
0.2.7+dfsg+~0.2.6-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-tmp

action needed

1 security issue in bullseye high

There is 1 open security issue in bullseye.

1 important issue:

CVE-2026-44705: tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

Created: 2026-06-12 Last update: 2026-06-26 17:00

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-44705: tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

Created: 2026-06-12 Last update: 2026-06-26 17:00

Failed to analyze the VCS repository. Please troubleshoot and fix the issue. high

vcswatch reports that there is an error with this package's VCS, or the debian/changelog file inside it. Please check the error shown below and try to fix it. You might have to update the VCS URL in the debian/control file to point to the correct repository.

From https://salsa.debian.org/js-team/node-tmp - [deleted] (none) -> refs/pipelines/1115139 Auto packing the repository in background for optimum performance. See 'git help gc' for manual housekeeping. fatal: shallow file has changed since we read it

Created: 2025-12-30 Last update: 2026-06-24 15:33

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

node-tmp could be marked Multi-Arch: foreign

Created: 2026-06-24 Last update: 2026-06-29 21:30

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-24 Last update: 2026-06-24 23:17

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-44705: (needs triaging) tmp is a temporary file and directory creator for node.js. Prior to 0.2.6, the tmp npm package contains a path traversal vulnerability that allows escaping the intended temporary directory when untrusted data flows into the prefix, postfix, or dir options. By embedding traversal sequences (e.g., ../) or path separators in these parameters, attackers can cause files to be created outside the configured temporary base directory at attacker-controlled locations with the privileges of the running process. This vulnerability affects applications that pass user-controlled data to tmp's file/directory creation functions without proper input sanitization. This vulnerability is fixed in 0.2.6.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-12 Last update: 2026-06-26 17:00

news

[rss feed]

[2026-06-27] node-tmp 0.2.7+dfsg+~0.2.6-1 MIGRATED to testing (Debian testing watch)
[2026-06-24] Accepted node-tmp 0.2.7+dfsg+~0.2.6-1 (source) into unstable (Xavier Guimard)
[2026-01-02] node-tmp 0.2.5+dfsg+~0.2.6-2 MIGRATED to testing (Debian testing watch)
[2025-12-30] Accepted node-tmp 0.2.5+dfsg+~0.2.6-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-30] node-tmp 0.2.5+dfsg+~0.2.6-1 MIGRATED to testing (Debian testing watch)
[2025-12-26] Accepted node-tmp 0.2.5+dfsg+~0.2.6-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-08-22] Accepted node-tmp 0.2.2+dfsg+~0.2.3-1.1~deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2025-08-22] Accepted node-tmp 0.2.2+dfsg+~0.2.3-1.1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2025-08-17] node-tmp 0.2.2+dfsg+~0.2.3-1.1 MIGRATED to testing (Debian testing watch)
[2025-08-12] Accepted node-tmp 0.2.2+dfsg+~0.2.3-1.1 (source) into unstable (Adrian Bunk)
[2025-08-10] Accepted node-tmp 0.2.1+dfsg-1+deb11u1 (source) into oldoldstable-security (Adrian Bunk)
[2022-09-04] Accepted node-tmp 0.2.2+dfsg+~0.2.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-09-04] node-tmp 0.2.2+dfsg+~0.2.3-1 MIGRATED to testing (Debian testing watch)
[2021-12-11] node-tmp 0.2.1+dfsg+~0.2.2-1 MIGRATED to testing (Debian testing watch)
[2021-12-08] Accepted node-tmp 0.2.1+dfsg+~0.2.2-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-09-17] node-tmp 0.2.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2021-09-15] Accepted node-tmp 0.2.1+dfsg-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2020-10-17] node-tmp 0.2.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-10-15] Accepted node-tmp 0.2.1+dfsg-1 (source) into unstable (Xavier Guimard)
[2020-10-14] Accepted node-tmp 0.2.0+dfsg-1 (source) into unstable (Xavier Guimard)
[2020-02-14] node-tmp 0.1.0+dfsg-6 MIGRATED to testing (Debian testing watch)
[2020-02-12] Accepted node-tmp 0.1.0+dfsg-6 (source) into unstable (Xavier Guimard)
[2020-02-05] Accepted node-tmp 0.1.0+dfsg-5 (source) into unstable (Xavier Guimard)
[2020-01-24] Accepted node-tmp 0.1.0+dfsg-4 (source) into unstable (Xavier Guimard)
[2020-01-22] node-tmp 0.1.0+dfsg-3 MIGRATED to testing (Debian testing watch)
[2020-01-20] Accepted node-tmp 0.1.0+dfsg-3 (source) into unstable (Xavier Guimard)
[2019-12-11] node-tmp 0.1.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2019-12-09] Accepted node-tmp 0.1.0+dfsg-2 (source) into unstable (Xavier Guimard)
[2019-12-03] Accepted node-tmp 0.1.0+dfsg-1 (source) into unstable (Xavier Guimard)
[2019-08-14] node-tmp 0.0.33+dfsg-2 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 0.2.7+dfsg+~0.2.6-1