Skip to content

fix(deps): bump shell-quote to 1.8.4 (CVE-2026-9277)#79

Merged
jz-inworld merged 1 commit into
mainfrom
jz/bump-shell-quote-1.8.4
Jun 9, 2026
Merged

fix(deps): bump shell-quote to 1.8.4 (CVE-2026-9277)#79
jz-inworld merged 1 commit into
mainfrom
jz/bump-shell-quote-1.8.4

Conversation

@jz-inworld

@jz-inworld jz-inworld commented Jun 9, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

What

Pins shell-quote to 1.8.4 (was 1.8.3) via an overrides entry on the root package.json, and regenerates the root package-lock.json.

"overrides": {
  "shell-quote@<1.8.4": "1.8.4"
}

Why

shell-quote <1.8.4 carries a CRITICAL command-injection advisory, CVE-2026-9277 (quote() mishandles line terminators in an object token's .op field, allowing command separation in POSIX shells). Fixed upstream in 1.8.4.

Scope / safety

  • Override is scoped to vulnerable (<1.8.4) instances only, so it is a no-op once the tree is clean.
  • Root lockfile diff is contained to the shell-quote version/resolved/integrity (6 lines, 2 files). The backend/ and frontend/ lockfiles do not contain shell-quote and are untouched.
  • Patch bump of a transitive dev tool; production build and runtime are unaffected.

🤖 Generated with Claude Code

@jz-inworld @claude
fix(deps): bump shell-quote to 1.8.4 (CVE-2026-9277)
8d4fd56 
shell-quote <1.8.4 has a CRITICAL command-injection advisory (CVE-2026-9277)
in quote(). It is pulled in only transitively via concurrently, a dev-only
script runner; no first-party code imports or calls shell-quote, so the
vulnerable path is not reachable in this app. Pinning to 1.8.4 to clear the
alert via an override scoped to vulnerable (<1.8.4) instances only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jz-inworld jz-inworld marked this pull request as ready for review June 9, 2026 18:36
@jz-inworld jz-inworld requested review from a team as code owners June 9, 2026 18:36
Copilot AI review requested due to automatic review settings June 9, 2026 18:36
Copilot AI reviewed Jun 9, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the transitive dependency shell-quote to 1.8.4 at the monorepo root to address CVE-2026-9277, using an npm overrides entry and a regenerated root lockfile to ensure the resolved package is updated.

Changes:

  • Add a root-level npm overrides rule to force shell-quote versions <1.8.4 to resolve to 1.8.4.
  • Regenerate package-lock.json so node_modules/shell-quote resolves to 1.8.4 with updated tarball URL and integrity hash.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds an npm overrides entry to pin vulnerable shell-quote versions to 1.8.4.
package-lock.json Updates the resolved shell-quote package metadata to 1.8.4 in the root lockfile.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@jz-inworld jz-inworld merged commit e6456bc into main Jun 9, 2026
3 checks passed
@jz-inworld jz-inworld deleted the jz/bump-shell-quote-1.8.4 branch June 9, 2026 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@uthark uthark uthark approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jz-inworld @uthark