fix: fix vuln CVE-2026-44705 BED-8394

[Holocraft]

Description

This fix patches the tmp package which has a high severity vulnerability.
More here: GHSA-ph9p-34f9-6g65

Motivation and Context

Resolves: BED-8394

How Has This Been Tested?

Manually

Screenshots (optional):

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README #672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments (GoDocs / JSDocs)
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

Summary by CodeRabbit

• Chores
  • Package manager configuration updated to preapprove and pin the tmp package (v0.2.6) to address CVE-2026-44705. This reduces recurring advisory noise in dependency scans, aligns audit outputs, and stabilizes dependency resolution across installs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 9abadf5b-103c-4754-a5ad-b2232fdceb72

📥 Commits

Reviewing files that changed from the base of the PR and between 31ecd5f and 0e70d7c.

📒 Files selected for processing (1)

• .yarnrc.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .yarnrc.yml

---

📝 Walkthrough

Walkthrough

Enables npmPreapprovedPackages in .yarnrc.yml with tmp preapproved (comment references CVE-2026-44705), and adds a resolutions entry in package.json pinning tmp to 0.2.6.

Changes

Dependency pin + Yarn preapprove

Layer / File(s)	Summary
Enable npmPreapprovedPackages and pin tmp .yarnrc.yml, package.json	Enables npmPreapprovedPackages in .yarnrc.yml and adds tmp to that list; adds resolutions.tmp: "0.2.6" to package.json.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly references the vulnerability fix (CVE-2026-44705) and the ticket (BED-8394), directly matching the PR's main objective of patching the tmp package vulnerability.
Description check	✅ Passed	The description includes all required sections from the template: Description, Motivation and Context with ticket reference, How Has This Been Tested, Types of changes, and a completed Checklist with appropriate items marked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-8394

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.yarnrc.yml:
- Around line 26-27: The preapproval entry currently uses npmPreapprovedPackages
with a bare "tmp" which bypasses npmMinimalAgeGate for all tmp releases; update
the npmPreapprovedPackages entry to target only the patched version range (e.g.,
the minimal semver range that contains the CVE-2026-44705 fix) and add a comment
or separate expiry mechanism to remove the exception after the temporary window;
reference the existing npmPreapprovedPackages key and the "tmp" package name and
ensure the new value is a specific version or semver range so only patched tmp
versions are exempted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c98af5d7-f69d-4a2d-88e5-3dc80c037d8d

📥 Commits

Reviewing files that changed from the base of the PR and between 18e5877 and 97a99cc.

⛔ Files ignored due to path filters (4)

• .yarn/cache/os-tmpdir-npm-1.0.2-e305b0689b-5666560f7b.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/tmp-npm-0.0.33-bcbf65df2a-09c0abfd16.zip is excluded by !**/.yarn/**, !**/*.zip
• .yarn/cache/tmp-npm-0.2.7-a6fd3441a0-0a3bc90beb.zip is excluded by !**/.yarn/**, !**/*.zip
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• .yarnrc.yml