Skip to content

Bump shell-quote and react-scripts#10

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-808dd346c4
Open

Bump shell-quote and react-scripts#10
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-808dd346c4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown

Bumps shell-quote to 1.8.4 and updates ancestor dependency react-scripts. These dependencies need to be updated together.

Updates shell-quote from 1.6.1 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511

v1.8.3 - 2025-06-01

Fixed

v1.8.2 - 2024-11-27

Fixed

Commits

  • [meta] fix changelog tags 0fb9fd8
  • [actions] split out node 10-20, and 20+ 819bd84
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408
  • [actions] update npm for windows tests fdeb0fd
  • [Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b
  • [actions] prevent node 14 on ARM mac from failing 9eecafc
  • [meta] exclude more files from the package 4044e7f
  • [Tests] replace aud with npm audit 8cfdbd8
  • [meta] add missing engines.node 843820e
  • [Dev Deps] add missing peer dep 4c3b88d
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed

v1.8.1 - 2023-04-07

Fixed

Commits

  • [Refactor] parse: hoist getVar to module level b42ac73
  • [Refactor] hoist some vars to module level 8f0c5c3
  • [Refactor] parse: use slice over substr, cache some values fcb2e1a
  • [Refactor] parse: a bit of cleanup 6780ec5
  • [Refactor] parse: tweak the regex to not match nothing 227d474

... (truncated)

Commits
  • ff166e2 v1.8.4
  • 4378a6e [Fix] quote: validate object-token shapes
  • 22ebec0 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, `npmig...
  • 9f3caa3 [Tests] increase coverage
  • 3344a04 [readme] replace runkit CI badge with shields.io check-runs badge
  • 699c511 [Dev Deps] update @ljharb/eslint-config
  • 487a9b4 v1.8.3
  • 01faaff [Fix] remove unnecessary backslash escaping in single quotes
  • b19fc77 v1.8.2
  • 59d29ea [Fix] quote: preserve empty strings
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for shell-quote since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.


Updates react-scripts from 1.0.13 to 5.0.1

Release notes

Sourced from react-scripts's releases.

v1.0.14

1.0.14 (September 26, 2017)

🐛 Bug Fix

  • react-dev-utils

    • #3098 Always reload the page on next compile after a runtime error. (@​Timer)

  • react-error-overlay

💅 Enhancement

  • react-dev-utils

📝 Documentation

🏠 Internal

... (truncated)

Changelog

Sourced from react-scripts's changelog.

2.0.3 and Newer Versions

Please refer to CHANGELOG-2.x.md for the 2.x range, and https://github.com/react/create-react-app/blob/main/CHANGELOG.md for the newer versions.

1.1.5 (August 24, 2018)

  • react-scripts

    • Update the webpack-dev-server dependency

  • react-dev-utils

    • #4866 Fix a Windows-only vulnerability (CVE-2018-6342) in the development server (@​acdlite)
    • Update the sockjs-client dependency

Committers: 1

Migrating from 1.1.4 to 1.1.5

Inside any created project that has not been ejected, run:

npm install --save --save-exact react-scripts@1.1.5

or

yarn add --exact react-scripts@1.1.5

1.1.4 (April 3, 2018)

🐛 Bug Fix

Committers: 1

Migrating from 1.1.3 to 1.1.4

Inside any created project that has not been ejected, run:

</tr></table>

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by iansu, a new releaser for react-scripts since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump shell-quote and react-scripts
97c58f7 
Bumps [shell-quote](https://github.com/ljharb/shell-quote) to 1.8.4 and updates ancestor dependency [react-scripts](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-scripts). These dependencies need to be updated together.


Updates `shell-quote` from 1.6.1 to 1.8.4
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.6.1...v1.8.4)

Updates `react-scripts` from 1.0.13 to 5.0.1
- [Release notes](https://github.com/facebook/create-react-app/releases)
- [Changelog](https://github.com/react/create-react-app/blob/main/CHANGELOG-1.x.md)
- [Commits](https://github.com/facebook/create-react-app/commits/react-scripts@5.0.1/packages/react-scripts)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
- dependency-name: react-scripts
  dependency-version: 5.0.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
semgrep-code-auth0-samples[bot]
semgrep-code-auth0-samples Bot reviewed Jun 10, 2026
View reviewed changes
Comment thread yarn.lock
range-parser "^1.2.1"
schema-utils "^4.0.0"

webpack-dev-server@^4.6.0:

@semgrep-code-auth0-samples semgrep-code-auth0-samples Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 8492 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

semgrep-code-auth0-samples[bot]
semgrep-code-auth0-samples Bot reviewed Jun 10, 2026
View reviewed changes
Comment thread yarn.lock
range-parser "^1.2.1"
schema-utils "^4.0.0"

webpack-dev-server@^4.6.0:

@semgrep-code-auth0-samples semgrep-code-auth0-samples Bot Jun 10, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 8492 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

@semgrep-code-auth0-samples

semgrep-code-auth0-samples Bot commented Jun 10, 2026

Copy link
Copy Markdown

Semgrep found 1 ssc-918a81a4-b70b-4c7a-8ce1-f999ac30e3dc finding:

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's affix plugin passes its target option straight into the jQuery $() constructor, so a target/data-target value containing HTML is parsed as markup and can execute arbitrary JavaScript (DOM-based XSS).

Manual Review Advice: A vulnerability from this advisory is reachable if you are calling affix plugin via JavaScript

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5367.

Reference(s): GHSA-ph58-4vrj-w6hr, CVE-2018-20677

Semgrep found 1 ssc-484bb776-a960-4899-8ddd-675885fe6a95 finding:

Risk: Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack dev server CLI setup

Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:17256.

Reference(s): GHSA-4v9v-hfq4-rm2v, CVE-2025-30359

Semgrep found 1 ssc-013ecbde-4597-4af3-bcc3-06920828d5cc finding:

Risk: Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser

Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:17256.

Reference(s): GHSA-9jgg-88mc-972h, CVE-2025-30360

Semgrep found 1 ssc-9f75fd94-e484-4842-ba51-a6da2e792bae finding:

Risk: Affected versions of bootstrap are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's collapse plugin passes the data-parent HTML attribute value to jQuery's $() constructor without sanitization, allowing an attacker who can influence that attribute to inject and execute arbitrary JavaScript in a victim's browser (XSS).

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5367.

Reference(s): GHSA-3wqf-4x89-9g79, CVE-2018-14040

Semgrep found 1 ssc-11b5542a-cf1c-4aac-809a-ed44a7e0a895 finding:

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's JavaScript plugins (Alert, Carousel, Collapse, Dropdown, Modal, Tab) pass the data-target attribute value directly to jQuery's $() constructor without sanitization. Because jQuery parses HTML strings as live DOM nodes, an attacker who can control a data-target (or href) attribute on a Bootstrap trigger element can inject arbitrary HTML and execute JavaScript in the victim's browser, leading to session hijacking or sensitive data exposure.

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5367.

Reference(s): GHSA-4p24-vmcr-4gqj, CVE-2016-10735

Semgrep found 1 ssc-4759c514-b537-20ef-d52f-ebb0a5c388fa finding:

Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:4952.

Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175

Semgrep found 1 ssc-5ea2c631-7cef-a4e0-e641-d179af079827 finding:

Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.

Manual Review Advice: A vulnerability from this advisory is reachable if you have NO_PROXY configured in your environment

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:4952.

Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718

Semgrep found 1 ssc-b1111744-f54b-4966-b3a9-9dfcb0019bac finding:

Risk: Affected versions of axios are vulnerable to Inefficient Regular Expression Complexity / Uncontrolled Resource Consumption. axios is vulnerable to a regular expression denial of service (ReDoS). The internal cookies.read() helper in lib/helpers/cookies.js builds a regular expression by concatenating the cookie name directly into the pattern without escaping regex metacharacters. When the cookie name flowing into the XSRF cookie read (e.g. via xsrfCookieName) contains a catastrophic-backtracking payload, evaluating the regex against document.cookie can freeze the JavaScript event loop, causing a denial of service in the browser tab or in Node.js/SSR applications. The affected code path is reached during ordinary axios request processing, so any importer of an affected version is exposed. Upgrade to a patched version (0.32.0 or 1.16.0), or set xsrfCookieName: null to disable XSRF cookie reading.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using axios in browser with untrusted xsrfCookieName value

Fix: Upgrade this library to at least version 0.32.0 at react-redux-embedded-login/package-lock.json:4952.

Reference(s): GHSA-hfxv-24rg-xrqf

Semgrep found 1 ssc-ae0261cf-6ee1-4026-8199-9d51d98e7718 finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.24 at react-redux-embedded-login/package-lock.json:16848.

Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292

Semgrep found 1 ssc-00f64d4f-00eb-4fb4-845e-f30d8f6ed59e finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.22 at react-redux-embedded-login/package-lock.json:16848.

Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733

Semgrep found 1 ssc-dbb9eafa-1a18-4071-96d8-a06789849c96 finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.23 at react-redux-embedded-login/package-lock.json:16848.

Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@semgrep-code-auth0-samples semgrep-code-auth0-samples[bot] semgrep-code-auth0-samples[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants