tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter

[nbouvrette]

I found this old-ish issue which I suspect should be closed: #883

But even the latest version of commitizen contains the following issue:

# npm audit report

tmp  <=0.2.3
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter - https://github.com/advisories/GHSA-52f5-9888-hmc6

Caused by:

├─┬ commitizen@4.3.1
│ └─┬ inquirer@8.2.5
│   └─┬ external-editor@3.1.0
│     └── tmp@0.0.33

This issue is still not fixed as of now, even in the latest inquirer version. But once this issue is resolved, the inquire package should be updated: SBoudrias/Inquirer.js#1802

[SBoudrias]

A new patch release of inquirer@8.x is out removing the problematic dependency related to this issue.

You should be able to update the transitive dependency, might need npm audit if you have a lockfile present.

[micchickenburger]

npm audit can't be used because commitizen is pinned to the vulnerable version: https://github.com/commitizen/cz-cli/blob/master/package.json#L84