HARMONY-2170: Address tmp vulnerability.

[ygliuvt]

Jira Issue ID

HARMONY-2170

Description

Address tmp vulnerability.

Local Test Steps

npm install
npm run test

PR Acceptance Checklist

• Acceptance criteria met
• Tests added/updated (if needed) and passing
• Documentation updated (if needed)
• Harmony in a Box tested (if changes made to microservices or new dependencies added)

Summary by CodeRabbit

• Chores
  • Updated the "tmp" dependency to version ^0.2.4 across multiple services.
  • Removed or cleaned up certain configuration entries in various service configuration files.

[coderabbitai]

Walkthrough

This change removes or updates configuration entries keyed "1106845" from multiple .nsprc files across the repository, often replacing their content with empty JSON objects or leaving only unrelated entries. Additionally, the "tmp" dependency is updated from version "^0.2.1" to "^0.2.4" in several package.json files.

Changes

Cohort / File(s)	Change Summary
Update "tmp" dependency services/cron-service/package.json, services/harmony/package.json, services/query-cmr/package.json, services/service-runner/package.json, services/work-failer/package.json, services/work-scheduler/package.json, services/work-updater/package.json	Bumped "tmp" dependency version from "^0.2.1" to "^0.2.4".
Remove .nsprc entry "1106845" and empty file packages/util/.nsprc, services/cron-service/.nsprc, services/query-cmr/.nsprc, services/work-failer/.nsprc, services/work-updater/.nsprc	Removed all content by replacing with empty JSON objects, deleting entry "1106845" and any others.
Remove .nsprc entry "1106845" (retain others) services/harmony/.nsprc, services/service-runner/.nsprc, services/work-scheduler/.nsprc	Deleted only the entry keyed "1106845"; other configuration entries remain unchanged.
Update .nsprc key and notes .nsprc	Changed key from "1106845" to "1106849" and updated "notes" field; other fields unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~7 minutes

Possibly related PRs

• HARMONY-2120:Reduce frequency of KubernetesPodNotHealthy alarms #800: Introduced the "1106845" entries now being removed or updated in this PR, directly relating to the affected configuration.

Suggested reviewers

• chris-durbin
• indiejames

Poem

In the warren of code, a rabbit hopped by,
Sweeping old configs out with a twinkle in its eye.
"tmp" is now fresher, the numbers are neat—
All the old clutter, replaced or deleted.
Hippity-hop, the code’s light and spry! 🐇✨

Note

🔌 MCP (Model Context Protocol) integration is now available in Early Access!

Pro users can now connect to remote MCP servers under the Integrations page to get reviews and chat conversations that understand additional development context.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4c7f187 and b8211b9.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• .nsprc (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .nsprc

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: compare-services
• GitHub Check: build (22.14.x)
• GitHub Check: build (22.14.x)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch harmony-2170

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

🔭 Outside diff range comments (1)

services/work-scheduler/.nsprc (1)

1-12: Repo-wide tmp upgrade consistency check – update override versions

All .nsprc files are valid JSON and contain no lingering "1106845" ignores. No packages pin tmp at 0.2.1, and all service package.json dependencies use ^0.2.4. However, the override entries in two package manifests currently pin tmp exactly to 0.2.4 rather than the intended semver range.

Please update these override blocks:

• package.json (repo root)
  Change

  "overrides": {
    "tmp": "0.2.4"
  }

  to

  "overrides": {
    "tmp": "^0.2.4"
  }

• packages/util/package.json
  Change

  "overrides": {
    "tmp": "0.2.4"
  }

  to

  "overrides": {
    "tmp": "^0.2.4"
  }

After making those edits, rerun your checks to confirm all tmp pins and overrides consistently use ^0.2.4.

🧹 Nitpick comments (5)

services/cron-service/package.json (1)

77-77: LGTM — tmp bumped to ^0.2.4

Matches the coordinated upgrade. If cron-service is built in isolation, consider adding a local "overrides": {"tmp": "0.2.4"} like noted in work-updater to force transitive pins during its Docker build.

services/work-scheduler/package.json (1)

68-68: LGTM — tmp bumped to ^0.2.4

Change is scoped and consistent. Optional: add a local override for tmp to ensure transitive resolution when building this service alone (see script in work-updater comment).

services/service-runner/package.json (1)

59-59: LGTM — tmp bumped to ^0.2.4

Recommend validating that service-runner’s lockfile resolves to 0.2.4+ and, if this service is built standalone, consider adding a local override for tmp to guarantee transitive resolution during image builds.

services/query-cmr/.nsprc (1)

1-4: Optional: consider removing empty .nsprc files to reduce repo noise.

If you don’t need any ignores, deleting the empty file is cleaner (better-npm-audit will work without it).

package.json (1)

87-87: Prefer exact versions for overrides.

Overrides are meant to force a precise resolution. Consider pinning @octokit/plugin-paginate-rest to “9.2.2” instead of a caret range.

   "overrides": {
     "cross-spawn": "7.0.5",
-    "@octokit/plugin-paginate-rest": "^9.2.2",
+    "@octokit/plugin-paginate-rest": "9.2.2",
     "tmp": "0.2.4"
   }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e6ef063 and 7d3effe.

⛔ Files ignored due to path filters (9)

• package-lock.json is excluded by !**/package-lock.json
• packages/util/package-lock.json is excluded by !**/package-lock.json
• services/cron-service/package-lock.json is excluded by !**/package-lock.json
• services/harmony/package-lock.json is excluded by !**/package-lock.json
• services/query-cmr/package-lock.json is excluded by !**/package-lock.json
• services/service-runner/package-lock.json is excluded by !**/package-lock.json
• services/work-failer/package-lock.json is excluded by !**/package-lock.json
• services/work-scheduler/package-lock.json is excluded by !**/package-lock.json
• services/work-updater/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (18)

• .nsprc (1 hunks)
• package.json (1 hunks)
• packages/util/.nsprc (1 hunks)
• packages/util/package.json (1 hunks)
• services/cron-service/.nsprc (1 hunks)
• services/cron-service/package.json (1 hunks)
• services/harmony/.nsprc (0 hunks)
• services/harmony/package.json (1 hunks)
• services/query-cmr/.nsprc (1 hunks)
• services/query-cmr/package.json (1 hunks)
• services/service-runner/.nsprc (1 hunks)
• services/service-runner/package.json (1 hunks)
• services/work-failer/.nsprc (1 hunks)
• services/work-failer/package.json (1 hunks)
• services/work-scheduler/.nsprc (1 hunks)
• services/work-scheduler/package.json (1 hunks)
• services/work-updater/.nsprc (1 hunks)
• services/work-updater/package.json (1 hunks)

💤 Files with no reviewable changes (1)

• services/harmony/.nsprc

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-08-07T16:38:04.160Z

Learnt from: indiejames
PR: nasa/harmony#799
File: services/cron-service/app/cronjobs/publish-failure-metrics.ts:191-191
Timestamp: 2025-08-07T16:38:04.160Z
Learning: In TypeScript files in the Harmony codebase, functions may use module.exports to call other functions within the same module to allow sinon mocks for testing purposes, even when using ES6 modules.

Applied to files:

• services/harmony/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: build (22.14.x)
• GitHub Check: compare-services
• GitHub Check: build (22.14.x)

🔇 Additional comments (14)

.nsprc (1)

1-1: Clearing legacy audit suppression looks good

Removing the ignore entry is appropriate given the tmp version bump.

packages/util/package.json (1)

84-86: Good: tmp overridden to a fixed secure version (0.2.4)

Pinning via npm “overrides” ensures transitive consumers (e.g., tmp-promise) resolve to the patched version.

packages/util/.nsprc (1)

1-1: OK to remove suppression here as well

Consistent with root cleanup; this should let better-npm-audit surface any future issues.

services/query-cmr/package.json (2)

71-71: tmp upgraded to ^0.2.4 — aligns with the vulnerability fix

Version bump is appropriate and consistent with the PR goal.

---

71-71: No insecure tmp usage detected in production code
All tmp/tmp-promise imports and calls were audited. The only instance of unsafeCleanup: true appears in test helper code—acceptable for forced cleanup in tests. No changes needed.

• services/harmony/test/helpers/object-store.ts:

dir = tmp.dirSync({ unsafeCleanup: true });

services/work-failer/package.json (1)

79-79: tmp upgraded to ^0.2.4 — looks good

Matches the coordinated dependency bump across services.

services/work-updater/package.json (1)

83-83: LGTM — bumped tmp to ^0.2.4

This aligns with the PR goal to address the tmp vulnerability. No other changes in this package.json are impacted.

services/harmony/package.json (1)

156-156: LGTM — tmp bumped to ^0.2.4

Two quick checks:

• Ensure package-lock(s) resolve to >= 0.2.4.
• Harmony declares @types/tmp (^0.2.3). Verify type compatibility with tmp 0.2.4; bump @types/tmp within ^0.2.x if needed.

You can reuse the repo-wide script from the work-updater comment to validate lockfiles.

services/work-updater/.nsprc (1)

1-1: Removing the ignore is correct and aligns with fixing the tmp advisory.

Empty .nsprc means no advisory is suppressed anymore—good cleanup once the vulnerable tmp version is removed.

services/work-failer/.nsprc (1)

1-1: Good: stop suppressing the tmp advisory here as well.

Consistent with the goal of addressing the tmp vulnerability across services.

package.json (1)

88-88: Ensure [email protected] is enforced in every workspace install

Scan results:
• Root package.json & packages/util/package.json both declare overrides.tmp = "0.2.4"
• All service packages list tmp in dependencies at ^0.2.4
• No other tmp constraints were found, and no tmp entries appeared in any package-lock.json (verify whether you’re using npm’s package-lock.json or Yarn’s yarn.lock)

Because your workflow uses lerna exec -- npm install in each sub-package, the root-level override won’t apply there. While pinning each service to ^0.2.4 covers the current patch, it will float to 0.2.x beyond 0.2.4 if a new patch is released. To fully lock tmp to 0.2.4 across all installs, you can:
• Change each service’s dependency from "^0.2.4" to the exact "0.2.4"
• Add an overrides: { "tmp": "0.2.4" } section in each sub-package’s package.json
• Or switch to running a single npm install at the monorepo root (using npm workspaces) so the root override propagates automatically

Please review your lockfile strategy and confirm that no tmp version > 0.2.4 can be resolved.

services/cron-service/.nsprc (1)

1-1: Consistent cleanup — no ignored advisories.

Matches the repo-wide effort to unsuppress the tmp vulnerability.

services/work-scheduler/.nsprc (1)

11-11: LGTM — ignore for advisory 1106845 appears removed and JSON remains valid.

No trailing comma issues; structure is correct.

services/service-runner/.nsprc (1)

11-11: LGTM — removal of advisory 1106845 ignore and JSON formatting look correct.

Consistent with PR goal to address tmp vulnerability rather than suppress it.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Optional: Delete empty .nsprc and verify no legacy suppressions remain

Since the file is now {}, consider removing it entirely to avoid confusion. Also verify that no other .nsprc files still suppress the old advisory.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "List all .nsprc files:"
fd -uu -t f .nsprc

echo "Check for lingering '1106845' suppressions anywhere:"
rg -n -S "1106845" || echo "OK: no 1106845 references found"

echo "Find non-empty .nsprc files (more than just {}):"
fd -uu -t f .nsprc | while read -r f; do
  # consider files > 3 bytes as non-empty (accounts for "{}\n")
  size=$(wc -c < "$f" | xargs)
  if [ "$size" -gt 3 ]; then echo "Non-empty: $f ($size bytes)"; fi
done

Length of output: 1748

---

Cleanup empty .nsprc files and verify remaining suppressions

The root .nsprc is now empty, and there are three other empty suppression files (≤3 bytes). To reduce noise, delete these:

• .nsprc
• packages/util/.nsprc
• services/work-failer/.nsprc
• services/work-updater/.nsprc

All other .nsprc files contain content (suppressions) and should be kept only if those advisories are still relevant. Your RG check confirmed no lingering 1106845 suppressions remain.

🤖 Prompt for AI Agents

In the root `.nsprc` file and the `.nsprc` files in `packages/util/`,
`services/work-failer/`, and `services/work-updater/` directories, delete these
files entirely as they are empty and add noise. For all other `.nsprc` files,
review their contents and keep only those with relevant suppressions, ensuring
no obsolete advisories like `1106845` remain.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Ensure workspace-wide consistency and avoid duplicate overrides

If a root-level override for tmp is present, you can drop per-package overrides to reduce drift. If not, consider adding one at the root to enforce the fix across all workspaces.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Where is tmp specified (dependencies or overrides)?"
rg -n --glob '!**/node_modules/**' $'"tmp"\\s*:\\s*"[^^]?0\\.2\\.4|\\^0\\.2\\.4|0\\.2\\.4"'

echo "Find per-package overrides of tmp:"
rg -n --glob '!**/node_modules/**' $'"overrides"\\s*:\\s*\\{[\\s\\S]*?"tmp"\\s*:\\s*".*?"[\\s\\S]*?\\}' -A 3 -B 3

echo "Optional: check package-locks for installed tmp version(s) if present:"
fd -uu package-lock.json | while read -r f; do
  echo "== $f =="; rg -n '"name":\\s*"tmp"|("version":\\s*"0\\.2\\.4")' "$f" -n || true
done

Length of output: 2224

---

Add a root-level override for tmp to enforce version consistency

I didn’t find any overrides (npm) or resolutions (Yarn) entry for tmp in your root package.json. Right now each workspace pins it individually (some use 0.2.4, others ^0.2.4), which can lead to drift. To consolidate:

• In your root package.json, add an overrides/resolutions block:

  {
    // …
    "overrides": {
      "tmp": "0.2.4"
    }
  }

• (Optional) Standardize each workspace’s direct dependency on tmp to the same spec (0.2.4 or ^0.2.4) for clarity.

This ensures a single source of truth and avoids per-package duplication.

🤖 Prompt for AI Agents

In packages/util/package.json around lines 84 to 86, add a root-level
"overrides" field specifying "tmp": "0.2.4" to enforce consistent version usage
across all workspaces. This involves inserting an "overrides" block at the root
of the package.json with the key "tmp" set to "0.2.4". Additionally, standardize
the "tmp" dependency version in each workspace's package.json to match this
exact version for clarity and consistency.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify secure tmp usage in this service as well

Quickly scan any tmp/tmp-promise usage to ensure safe defaults and cleanup.

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Locate tmp usages in work-failer:"
rg -n --glob '!**/node_modules/**' 'from [\'"]tmp' services/work-failer || true
rg -n --glob '!**/node_modules/**' 'from [\'"]tmp-promise' services/work-failer || true
rg -n --glob '!**/node_modules/**' '\\btmp\\.(file|dir)\\b|withFile|withDir' services/work-failer || true

echo "Flag risky options if present:"
rg -n --glob '!**/node_modules/**' 'unsafeCleanup\\s*:\\s*true|keep\\s*:\\s*true|mode\\s*:\\s*0o[0-5]' services/work-failer || true

Length of output: 206

---

The previous regex had a quoting issue. Let’s simplify the patterns and rerun to locate any tmp/tmp-promise usage and flag cleanup options:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking for tmp/tmp-promise imports in services/work-failer:"
rg -n --glob '!**/node_modules/**' \
  -e "import .*tmp" \
  -e "require .*tmp" \
  -e "import .*tmp-promise" \
  -e "require .*tmp-promise" services/work-failer || true

echo "Checking for tmp.file/tmp.dir usage:"
rg -n --glob '!**/node_modules/**' 'tmp\.' services/work-failer || true

echo "Checking for risky options (unsafeCleanup, keep, mode):"
rg -n --glob '!**/node_modules/**' \
  -e "unsafeCleanup" \
  -e "keep" \
  -e "mode\s*:\s*0o" services/work-failer || true

Length of output: 1483

---

No tmp usage detected – remove or secure tmp dependency

We scanned the entire services/work-failer directory and found no occurrences of:

• import/require for tmp or tmp-promise
• any calls to tmp.file, tmp.dir, withFile, or withDir

Next steps:

• If you planned to use tmp, add the appropriate code with secure defaults (e.g. auto-cleanup or unsafeCleanup: true) where needed.
• Otherwise, remove the unused "tmp": "^0.2.4" entry from services/work-failer/package.json.

🤖 Prompt for AI Agents

In services/work-failer/package.json at line 79, the "tmp" dependency is listed
but not used anywhere in the codebase. To fix this, either remove the "tmp"
dependency from package.json if it is unnecessary, or if you intend to use it,
add the relevant code that securely uses "tmp" with options like auto-cleanup or
unsafeCleanup set to true.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Verify lockfiles and transitive pins; consider per-service override

Two follow-ups to ensure the fix is airtight across services and container builds:

• Make sure no package-lock.json still resolves tmp < 0.2.4 anywhere.
• If individual service Docker builds run npm install from the service dir (not the repo root), the root-level override for tmp may not apply. Consider pinning tmp via "overrides" in this service as well.

Suggested override addition:

   "overrides": {
+    "tmp": "0.2.4",
     "semver": "^7.6.2",
     "braces": "^3.0.3",
     "fast-xml-parser": "4.4.1",
     "cross-spawn": "7.0.5"
   }

Repo-wide verification script:

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) List all explicit tmp declarations in package.json (deps/devDeps/overrides):"
fd -t f package.json | sort | while read -r f; do
  jq -r --arg file "$f" '
    {
      dep: (.dependencies.tmp // empty),
      dev: (.devDependencies.tmp // empty),
      over: (.overrides.tmp // empty)
    }
    | to_entries
    | map(select(.value != null))
    | if (length>0) then
        "\($file): " + (map("\(.key)=\(.value)") | join(", "))
      else
        empty
      end
  ' "$f"
done

echo
echo "2) Inspect package-lock.json files for resolved tmp versions and flag any < 0.2.4:"
tmp_min_ver="0.2.4"
fail=0

fd -t f package-lock.json | sort | while read -r f; do
python - "$f" "$tmp_min_ver" <<'PY'
import json, sys
from pathlib import Path

path = Path(sys.argv[1])
min_ver = tuple(map(int, sys.argv[2].split(".")))

def parse_ver(v):
    try:
        parts = v.split(".")
        return tuple(int(x) for x in parts[:3]) + (0,)*(3-len(parts))
    except Exception:
        return None

with path.open() as fh:
    data = json.load(fh)

versions = set()

# npm v7+ lockfile
pkgs = data.get("packages") or {}
if isinstance(pkgs, dict):
    tmp_pkg = pkgs.get("node_modules/tmp")
    if isinstance(tmp_pkg, dict) and "version" in tmp_pkg:
        versions.add(tmp_pkg["version"])

# generic dependencies listing (v1/v2)
deps = data.get("dependencies") or {}
if isinstance(deps, dict) and "tmp" in deps:
    v = deps["tmp"].get("version")
    if v:
        versions.add(v)

older = []
for v in versions:
    pv = parse_ver(v)
    if pv and pv < min_ver:
        older.append(v)

if versions:
    print(f"{path}: resolved tmp -> {', '.join(sorted(versions))}")
if older:
    print(f"ERROR: {path} resolves tmp older than {'.'.join(map(str,min_ver))}: {', '.join(older)}")
    sys.exit(10)
PY
rc=$? || true
if [ "$rc" -ne 0 ]; then
  fail=1
fi
done

if [ "$fail" -ne 0 ]; then
  echo "One or more lockfiles resolve tmp < $tmp_min_ver"
  exit 1
fi

echo
echo "OK: All checked lockfiles resolve tmp >= $tmp_min_ver (or tmp not present)."

Length of output: 5679

---

Pin tmp via per-service override

All package-lock.json files now resolve tmp → 0.2.4. However, no service-level package.json currently declares an overrides.tmp, so if your Docker builds run npm install inside each service directory (rather than the repo root), the pin won’t apply.

• File: services/work-updater/package.json
Add tmp to the "overrides" section:

  "overrides": {
+   "tmp": "0.2.4",
    "semver": "^7.6.2",
    "braces": "^3.0.3",
    "fast-xml-parser": "4.4.1",
    "cross-spawn": "7.0.5"
  }

Repeat in any other service package.json that declares or relies on tmp.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"tmp": "^0.2.4",
	"overrides": {
	"tmp": "0.2.4",
	"semver": "^7.6.2",
	"braces": "^3.0.3",
	"fast-xml-parser": "4.4.1",
	"cross-spawn": "7.0.5"
	}

🤖 Prompt for AI Agents

In services/work-updater/package.json at line 83, add an "overrides" section if
it doesn't exist, and within it, specify "tmp": "0.2.4" to pin the tmp package
version at the service level. This ensures that when running npm install inside
the service directory, the tmp version is correctly overridden. Repeat this
addition in other service package.json files that use or depend on tmp.

[chris-durbin]

Merged in with HARMONY-2173