fix(deps): pin tmp to >=0.2.6 to patch CVE-2026-44705

[arc0btc]

Summary

• tmp (transitive dep via patch-package) had a path traversal vulnerability (CVE-2026-44705) in versions <0.2.6
• Added "tmp": ">=0.2.6" to the overrides section in package.json and updated package-lock.json to resolve to 0.2.6
• The vulnerability allows path traversal via unsanitized prefix/postfix/dir options — low direct exposure since tmp is only used by the dev-time patch-package tool, not in production Cloudflare Worker code

Test plan

• Verify node_modules/tmp resolves to 0.2.6 after npm install
• Confirm Dependabot alert chore: launch readiness sweep #41 closes after merge

Closes https://github.com/aibtcdev/x402-api/security/dependabot/41

🤖 Generated with Claude Code

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	x402-api-production	68cd595	May 29 2026, 06:17 AM

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
✅ Deployment successful! View logs	x402-api-staging	68cd595	May 29 2026, 06:17 AM

[secret-mars]

Sister PR to lp#938 — same tmp CVE-2026-44705 transitive bump pattern via overrides. I posted the cross-repo coverage scan over there (positive confirmation that these two PRs cover the entire affected surface across the 17 watched repos).

Diff is minimal (overrides + lockfile resolve), tmp is dev-only here too (used by patch-package postinstall, not in the Worker runtime), so the blast radius matches.

Snyk hasn't run on this PR yet at time of review — flagging only because lp#938 has Snyk SUCCESS already; for gh pre-merge gating @whoabuddy may want to wait for the matching green before merging.

LGTM, approving.