Bump tmp and patch-package

[dependabot]

Bumps tmp and patch-package. These dependencies needed to be updated together.
Updates tmp from 0.1.0 to 0.2.5

Changelog

Sourced from tmp's changelog.

v0.2.2 (2024-02-28)

🐛 Bug Fix

• #278 Closes #268: Revert "fix #246: remove any double quotes or single quotes… (@​mbargiel)

📝 Documentation

• #279 Closes #266: move paragraph on graceful cleanup to the head of the documentation (@​silkentrance)

Committers: 5

• Carsten Klein (@​silkentrance)
• Dave Nicolson (@​dnicolson)
• KARASZI István (@​raszi)
• Maxime Bargiel (@​mbargiel)
• @​robertoaceves

v0.2.1 (2020-04-28)

🚀 Enhancement

• #252 Closes #250: introduce tmpdir option for overriding the system tmp dir (@​silkentrance)

🏠 Internal

• #253 Closes #191: generate changelog from pull requests using lerna-changelog (@​silkentrance)

Committers: 1

• Carsten Klein (@​silkentrance)

v0.2.0 (2020-04-25)

🚀 Enhancement

• #234 feat: stabilize tmp for v0.2.0 release (@​silkentrance)

🐛 Bug Fix

• #231 Closes #230: regression after fix for #197 (@​silkentrance)
• #220 Closes #197: return sync callback when using the sync interface, otherwise return the async callback (@​silkentrance)
• #193 Closes #192: tmp must not exit the process on its own (@​silkentrance)

📝 Documentation

• #221 Gh 206 document name option (@​silkentrance)

🏠 Internal

• #226 Closes #212: enable direct name option test (@​silkentrance)
• #225 Closes #211: existing tests must clean up after themselves (@​silkentrance)
• #224 Closes #217: name tests must use tmpName (@​silkentrance)
• #223 Closes #214: refactor tests and lib (@​silkentrance)
• #198 Update dependencies to latest versions (@​matsev)

... (truncated)

Commits

• 3d2fe38 Bump up the version
• e162828 Merge pull request #309 from fflorent/fix-tmp-dir-with-dir
• b847d2f Fix use of tmp.dir() with dir option
• 08fa3ab Update version
• 1cf4ec5 Merge commit from fork
• 188b25e Fix GHSA-52f5-9888-hmc6
• 73b9fe4 Add test case for GHSA-52f5-9888-hmc6
• b8e2f29 Remove broken tests
• 2892a02 Remove outdated URL
• f592318 Reformat package.json
• Additional commits viewable in compare view

Updates patch-package from 6.5.1 to 8.0.1

Release notes

Sourced from patch-package's releases.

v8.0.0

• Add support for multiple patch files for a single package. (@​ds300) #474

Breaking

I removed some really old legacy filename handling stuff so it's technically a breaking change.

v7.0.0

7.0.0

Breaking changes

• Bump yaml to fix security issue. Required bumping minimum node version from 8 to 14. (contribution from @​mayank99 in #463)

Other changes

• Bump cross-spawn (contribution from @​stianjensen in #457)
• Replace is-ci with ci-info (contribution from @​paescuj in #446)
• Make version number parsing more robust (contribution from @​MHekert in #361)

Changelog

Sourced from patch-package's changelog.

8.0.1

• Update tmp to fix security alert. #578

8.0.0

• Add support for multiple patch files for a single package. #474

Breaking Changes

• Removed support for some very old legacy filename format stuff (pre-2019).

7.0.2

• Bump semver again (contribution from @​rsanchez in #477)

7.0.1

• Bump semver (contribution from @​stianjensen in #466)

Breaking changes

• Bump yaml to fix security issue. Required bumping minimum node version from 8 to 14. (contribution from @​mayank99 in #463)

Other changes

• Bump cross-spawn (contribution from @​stianjensen in #457)
• Replace is-ci with ci-info (contribution from @​paescuj in #446)
• Make version number parsing more robust (contribution from @​MHekert in #361)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[JamieMagee]

@dependabot rebase

[JamieMagee]

Review

Looked through the changes - this is straightforward.

What's happening

• tmp goes from 0.1.0 to 0.2.5 (fixes GHSA-52f5-9888-hmc6)
• patch-package goes from 6.5.1 to 8.0.1 (they share the tmp dependency, hence the joint update)

The lock file shrinks by ~280 lines because the newer versions use modern dependencies (cross-spawn 7, which 2, etc.) that match what other packages already need. Less duplication.

Breaking changes in these versions

patch-package 7+: Requires Node 14+. Dropped some legacy patch filename handling from pre-2019.

patch-package 8: Adds multi-patch support per package. More old filename format removal.

tmp 0.2.x: Requires Node 14.14+. Dropped the rimraf dependency entirely.

None of this matters here - the project already requires Node 18+ based on other deps.

The existing patch file

There's one patch in the repo (patches/spdx-correct+3.2.0.patch). It uses standard format - should apply fine with patch-package 8.x. Worth confirming after merge with:

npm ci && npx patch-package

Verdict

Looks good to merge once CI passes. Standard security update, no red flags.