Bump tmp and react-scripts

[dependabot]

Removes tmp. It's no longer used after updating ancestor dependency react-scripts. These dependencies need to be updated together.

Removes tmp

Updates react-scripts from 1.0.13 to 5.0.1

Release notes

Sourced from react-scripts's releases.

v1.0.14

1.0.14 (September 26, 2017)

🐛 Bug Fix

• react-dev-utils

  • #3098 Always reload the page on next compile after a runtime error. (@​Timer)

• react-error-overlay

  • #3079 Fix code context on Windows. (@​Timer)

💅 Enhancement

• react-dev-utils

  • #3077 Auto-detect running editor on Linux for error overlay. (@​gulderov)

  • #3131 Display process pid in already running message. (@​Pajn)

📝 Documentation

• Other

  • #3163 Add link to active CSS modules discussion. (@​NeekSandhu)

• react-scripts

  • #2908 Note that class fields have progressed to stage 3. (@​rickbeerendonk)

  • #3160 Update unclear wording in webpack configuration (file loader section). (@​kristiehoward)

• eslint-config-react-app

  • #3072 Update eslint versions for install instructions. (@​jdcrensh)

🏠 Internal

• react-scripts

  • #3157 Update webpack-dev-server to 2.8.2. (@​nikolas)

  • #2989 Update install template to match accessibility guidelines. (@​davidleger95)

• react-error-overlay

  • #3065 Updated react-error-overlay to latest Flow (0.54.0). (@​duvet86)

  • #3102 Clean target directory before compiling overlay. (@​Timer)

... (truncated)

Changelog

Sourced from react-scripts's changelog.

2.0.3 and Newer Versions

Please refer to CHANGELOG-2.x.md for the 2.x range, and https://github.com/react/create-react-app/blob/main/CHANGELOG.md for the newer versions.

1.1.5 (August 24, 2018)

• react-scripts

  • Update the webpack-dev-server dependency

• react-dev-utils

  • #4866 Fix a Windows-only vulnerability (CVE-2018-6342) in the development server (@​acdlite)
  • Update the sockjs-client dependency

Committers: 1

• Andrew Clark (acdlite)

Migrating from 1.1.4 to 1.1.5

Inside any created project that has not been ejected, run:

npm install --save --save-exact react-scripts@1.1.5

or

yarn add --exact react-scripts@1.1.5

1.1.4 (April 3, 2018)

🐛 Bug Fix

• react-dev-utils

  • #4250 Upgrade detect-port-alt to fix #4189. (@​Timer)

Committers: 1

• Joe Haddad (Timer)

Migrating from 1.1.3 to 1.1.4

Inside any created project that has not been ejected, run:

</tr></table> 

... (truncated)

Commits

• 19fa58d Publish
• 9802941 fix: webpack noise printed only if error or warning (#12245)
• 2eef1d0 Update templates to use React 18 createRoot (#12220)
• 221e511 Publish
• 5614c87 Add support for Tailwind (#11717)
• 20edab4 fix(webpackDevServer): disable overlay for warnings (#11413)
• 3afbbc0 Update all dependencies (#11624)
• f5467d5 feat(eslint-config-react-app): support ESLint 8.x (#11375)
• c7627ce Update webpack and dev server (#11646)
• 544befe Update package.json (#11597)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by iansu, a new releaser for react-scripts since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[semgrep-code-auth0-samples]

Semgrep found 1 ssc-9f75fd94-e484-4842-ba51-a6da2e792bae finding:

• package-lock.json
  • L5357 - Triage

Risk: Affected versions of bootstrap are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's collapse plugin passes the data-parent HTML attribute value to jQuery's $() constructor without sanitization, allowing an attacker who can influence that attribute to inject and execute arbitrary JavaScript in a victim's browser (XSS).

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5357.

Reference(s): GHSA-3wqf-4x89-9g79, CVE-2018-14040

Semgrep found 1 ssc-11b5542a-cf1c-4aac-809a-ed44a7e0a895 finding:

• package-lock.json
  • L5357 - Triage

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's JavaScript plugins (Alert, Carousel, Collapse, Dropdown, Modal, Tab) pass the data-target attribute value directly to jQuery's $() constructor without sanitization. Because jQuery parses HTML strings as live DOM nodes, an attacker who can control a data-target (or href) attribute on a Bootstrap trigger element can inject arbitrary HTML and execute JavaScript in the victim's browser, leading to session hijacking or sensitive data exposure.

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5357.

Reference(s): GHSA-4p24-vmcr-4gqj, CVE-2016-10735

Semgrep found 1 ssc-4759c514-b537-20ef-d52f-ebb0a5c388fa finding:

• package-lock.json
  • L4942 - Triage

Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:4942.

Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175

Semgrep found 1 ssc-5ea2c631-7cef-a4e0-e641-d179af079827 finding:

• package-lock.json
  • L4942 - Triage

Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.

Manual Review Advice: A vulnerability from this advisory is reachable if you have NO_PROXY configured in your environment

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:4942.

Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718

Semgrep found 1 ssc-ae0261cf-6ee1-4026-8199-9d51d98e7718 finding:

• package-lock.json
  • L16827 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.24 at react-redux-embedded-login/package-lock.json:16827.

Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292

Semgrep found 1 ssc-00f64d4f-00eb-4fb4-845e-f30d8f6ed59e finding:

• package-lock.json
  • L16827 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.22 at react-redux-embedded-login/package-lock.json:16827.

Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733

Semgrep found 1 ssc-dbb9eafa-1a18-4071-96d8-a06789849c96 finding:

• package-lock.json
  • L16827 - Triage

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.23 at react-redux-embedded-login/package-lock.json:16827.

Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793