From 8d4fd562d4a8c894b2a56c7b137f394d8fcfbd72 Mon Sep 17 00:00:00 2001
From: Jiazhen Fan <jiazhen.fan@inworld.ai>
Date: Tue, 9 Jun 2026 11:08:54 -0700
Subject: [PATCH] fix(deps): bump shell-quote to 1.8.4 (CVE-2026-9277)

shell-quote <1.8.4 has a CRITICAL command-injection advisory (CVE-2026-9277)
in quote(). It is pulled in only transitively via concurrently, a dev-only
script runner; no first-party code imports or calls shell-quote, so the
vulnerable path is not reachable in this app. Pinning to 1.8.4 to clear the
alert via an override scoped to vulnerable (<1.8.4) instances only.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 package-lock.json | 6 +++---
 package.json      | 3 +++
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index e542420..c263199 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -237,9 +237,9 @@
       }
     },
     "node_modules/shell-quote": {
-      "version": "1.8.3",
-      "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz",
-      "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==",
+      "version": "1.8.4",
+      "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.4.tgz",
+      "integrity": "sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
diff --git a/package.json b/package.json
index 16cb329..eacca63 100644
--- a/package.json
+++ b/package.json
@@ -18,5 +18,8 @@
   },
   "devDependencies": {
     "concurrently": "^8.2.2"
+  },
+  "overrides": {
+    "shell-quote@<1.8.4": "1.8.4"
   }
 }