[docs] Note tmp security update (GHSA-ph9p-34f9-6g65) in Aspire 13.4 release notes#1123
[docs] Note tmp security update (GHSA-ph9p-34f9-6g65) in Aspire 13.4 release notes#1123aspire-repo-bot[bot] wants to merge 2 commits into
Conversation
…notes Documents the bump of the transitive tmp npm package (< 0.2.6 path traversal) addressed in microsoft/aspire#17594. The dependency is dev-only and not present in any published NuGet package. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
aspire-repo-bot
Bot
added
the
docs-from-code
There was a problem hiding this comment.
Pull request overview
Adds a short security-disclosure note to the Aspire 13.4 “What’s new” release notes to document the tmp npm package update addressing GHSA-ph9p-34f9-6g65, clarifying it affected only dev-time tooling (VS Code extension / Angular playground) and not shipped runtime artifacts.
Changes:
- Added a new 🔒 Security updates section to Aspire 13.4 release notes.
- Documented the
tmpadvisory and clarified scope/impact for Aspire users.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
IEvangelist
left a comment
IEvangelist
left a comment
There was a problem hiding this comment.
Automated docs-accuracy review
Source of truth: microsoft/aspire release/13.4 @ cbc352350f1a9bafbaff10d14a2c8de4ac186a48
PR head: 52fc92457cd167f916dc7b143d96ef3dbd8efd29
Phase A — Claim verification (5 verifiable claims extracted)
| Verdict | Count |
|---|---|
verified |
3 |
verified-with-nuance |
1 |
contradicted |
1 |
unverifiable |
0 |
Phase B — doc-tester skill (user-perspective)
Pages exercised: src/frontend/src/content/docs/whats-new/aspire-13-4.mdx (the only file changed).
Live navigation: knowledge gap — /whats-new/ on the live site currently redirects to /whats-new/aspire-13-3/, so the 13.4 release-notes page (and therefore this new section) is not yet rendered publicly. Fell back to source inspection of the PR head MDX plus external-link verification.
Result: 0 critical, 1 warning, 1 knowledge gap, 1 passed check.
Overall verdict — REQUEST_CHANGES
There is one contradicted claim that materially misleads the reader (left as an inline comment on the relevant line). The other claims are accurate or fall within accepted nuance.
Phase A — Claim verification details
🛑 Contradicted (1)
One inline comment is left on the paragraph in question. Summary of the issue:
"The
tmpnpm package … was updated to address [GHSA-ph9p-34f9-6g65] … affecting versions prior to0.2.6."
By placing this in aspire-13-4.mdx, the doc asserts that the tmp ≥ 0.2.6 update is part of the Aspire 13.4 release. On release/13.4 @ cbc35235, that update is not present:
- The only commit in
microsoft/aspirethat bumps tmp to 0.2.6 is09d3ec3fa Bump tmp to 0.2.6 to address GHSA-ph9p-34f9-6g65 (#17594), which is onmainonly.git branch -r --contains 09d3ec3fareturns onlyupstream/main. - PR #17594 itself is
baseRefName: main,milestone: 13.5,mergedAt: 2026-05-29T16:30:26Z— not a release/13.4 backport. - On
release/13.4the affected lockfiles still resolve totmp@0.2.5:extension/yarn.lock:5583-5586—tmp@^0.2.3→version "0.2.5"(brought in transitively by@vscode/vsce@3.7.1, a devDependency).playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json:13895-13899—"node_modules/tmp"→"version": "0.2.5"with"dev": true.
The fix is real, but it ships in 13.5, not 13.4. The release-notes page where this section belongs is aspire-13-5.mdx, or the section needs to be reworded to make clear that the fix is not in the 13.4 release train (e.g., "Will be addressed in 13.5" / "Tracked for the next release"). See the inline comment for proposed wording.
✅ Verified / verified-with-nuance (4)
Expand for evidence
| # | Claim | Verdict | Evidence (microsoft/aspire@cbc35235 release/13.4) |
|---|---|---|---|
| 1 | tmp is a dev-only transitive dependency |
verified |
extension/package.json lists @vscode/vsce@3.7.1 under devDependencies; extension/yarn.lock:1078-1098 shows "@vscode/vsce@3.7.1" → tmp "^0.2.3". Angular: playground/AspireWithJavaScript/AspireJavaScript.Angular/package-lock.json:13895-13899 has "dev": true. |
| 2 | Used by the Visual Studio Code extension and the Angular playground sample | verified |
Two lockfiles confirmed (see #1 above). No other lockfiles in the repo contain tmp. |
| 3 | Not included in any published Aspire NuGet packages or runtime artifacts | verified |
tmp is an npm package; not present in any .NET project file. @vscode/vsce is a packaging/build tool used during .vsix production, not a runtime dep of the VS Code extension itself. The Angular project under playground/ is a sample, not a shipped artifact. |
| 4 | GHSA-ph9p-34f9-6g65 is a high-severity path traversal vulnerability | verified-with-nuance |
The linked advisory page itself describes "a path traversal vulnerability that allows escaping the intended temporary directory" and lists tmp < 0.2.6 as affected. The advisory's published severity label was not re-verified beyond the link; treating the linked GHSA as authoritative per spec. |
Phase B — doc-tester results
Summary
| Category | Passed | Failed | Warnings |
|---|---|---|---|
| Content accuracy (from a user's viewpoint, no source consulted) | 1 | 0 | 1 |
| Code examples | n/a | n/a | n/a |
| CLI commands | n/a | n/a | n/a |
| Links | 1 | 0 | 0 |
Critical issues
None.
Warnings
Warning 1: The section doesn't tell readers in which Aspire build the fix actually lands
Location: src/frontend/src/content/docs/whats-new/aspire-13-4.mdx — new "🔒 Security updates" section
Issue: A user scanning release notes for security advisories specifically wants to know which build of Aspire contains the fix. The new section says the package "was updated" without naming a patch version, build, or release date. Putting it in aspire-13-4.mdx is the implicit answer ("it's in 13.4"), but that signal is fragile — a user who copies the paragraph elsewhere loses it entirely.
Suggestion: State the version/build that contains the fix (e.g., "starting with Aspire 13.4.x" / "shipping in 13.5"), or at least the commit/PR reference, so the security-tracking use case is well-served independent of where the paragraph lives.
Knowledge gaps
Knowledge gap 1: live-site rendering of the 13.4 release notes is unverifiable
What I needed to do: Navigate to the published aspire-13-4 release-notes page on https://aspire.dev to verify the new section renders, that the emoji + heading hierarchy reads correctly, and that the external advisory link resolves from a browser context.
Why I couldn't: https://aspire.dev/whats-new/ currently 302-redirects to /whats-new/aspire-13-3/, and https://aspire.dev/whats-new/aspire-13-4/ 404s. The 13.4 release notes page is not yet published on the live site, and no PR preview deployment is wired up in this environment.
User impact: Users reading the rendered docs cannot see this section until 13.4 release notes are published. Until then, the only validation possible is in-source inspection.
Recommendation: Spot-check the rendered page once the 13.4 release notes are published (or in a preview branch) to confirm the section displays under the right ancestor heading and the GHSA link opens correctly.
Passed checks
- The external link
https://github.com/advisories/GHSA-ph9p-34f9-6g65resolves and the advisory describes a "path traversal vulnerability" matching the doc's description (confirmed via direct fetch). - The new
## 🔒 Security updatessection is structurally consistent with similar prior sections in the series (e.g.,aspire-13-1.mdxhas a## 🔒 Certificates and securitysection), so the section-naming pattern is not out-of-band for this content area. - Other release-notes pages in this series (
aspire-13-3.mdx,aspire-13-4.mdx) do not link to source PRs inline for other change descriptions, so the absence of a microsoft/aspire#17594 cross-link here is consistent with existing house style and is not flagged as an issue.
Recommendations
- Priority fix: Re-target the section to the release-notes page that actually corresponds to the build containing the fix (likely
aspire-13-5.mdxonce it exists), or explicitly call out in the prose that the fix lands in a different release than this page. - Once 13.4 release notes are published live: revisit this section in a browser to confirm the rendered heading hierarchy and link behavior.
Phase A read source code from microsoft/aspire release/13.4 @ cbc35235. Phase B used only the PR MDX + external (non-source) browsing per the doc-tester skill. Both phases completed before this single review was posted.
- PRRT_kwDOQK_VN86FwICn: Remove the tmp security-update note from the Aspire 13.4 release notes because release/13.4 still resolves tmp to 0.2.5. - PRRT_kwDOQK_VN86Fvhxw: Remove the long added paragraph with the same section, resolving the wrapping concern. Verified against microsoft/aspire@11bea2e on branch release/13.4. Edited per the doc-writer skill. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Documents changes from microsoft/aspire#17594 by
@IEvangelist.Targeting
release/13.4— the latest release branch onmicrosoft/aspire.dev— becauserelease/13.5(from the source PR milestone13.5) does not exist there.Why this PR is needed
The source PR references security advisory GHSA-ph9p-34f9-6g65 (high-severity path traversal in
tmp < 0.2.6), triggering thepr_body_has_security_markersignal. While the fix is limited to dev-only transitive dependencies in the VS Code extension and an Angular playground sample (not shipped in any Aspire NuGet package), a brief disclosure note in the release notes is appropriate for users who may track security advisories for the Aspire toolchain.Changes
Added a 🔒 Security updates section to
src/frontend/src/content/docs/whats-new/aspire-13-4.mdxnoting:tmpnpm package was updated to resolve GHSA-ph9p-34f9-6g65Files modified
src/frontend/src/content/docs/whats-new/aspire-13-4.mdx— updated (new section added)