[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#102
[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#102factory-service-snyk wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-17457810
|
This is a minor version upgrade. The changes introduce new features and do not contain any documented breaking changes. Key Changes:
No breaking changes were identified in the release notes for this version range. Source: Changelog
|
|
Droid finished @factory-service-snyk's task —— View job Droid review complete. As written, this PR likely does not apply the intended |
| "@octokit/rest": "^21.1.1", | ||
| "@octokit/webhooks-types": "^7.6.1", | ||
| "shell-quote": "^1.8.3", | ||
| "shell-quote": "^1.9.0", |
There was a problem hiding this comment.
[P1] Upgrade shell-quote where the action actually runs (base-action)
This PR bumps shell-quote only in the repo-root package.json, but action.yml installs and runs ${GITHUB_ACTION_PATH}/base-action (with its own package.json and lockfiles) and that package still pins shell-quote@^1.8.3. As a result, the code that imports shell-quote at runtime (for example base-action/src/run-droid.ts) will continue to use the old version unless base-action/package.json (and its lockfiles) are updated too.
| "@octokit/rest": "^21.1.1", | ||
| "@octokit/webhooks-types": "^7.6.1", | ||
| "shell-quote": "^1.8.3", | ||
| "shell-quote": "^1.9.0", |
There was a problem hiding this comment.
[P1] [security] Regenerate lockfiles so the upgrade is actually installed
Even with the package.json range bumped, the lockfiles in this repo still resolve shell-quote@1.8.3 (root bun.lock / package-lock.json, plus base-action/ lockfiles). Please re-run installs and commit the updated lockfiles for the package(s) that CI installs (${GITHUB_ACTION_PATH} and ${GITHUB_ACTION_PATH}/base-action) so shell-quote@1.9.0 is what actually gets shipped/installed.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-SHELLQUOTE-17457810
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.