Skip to content

[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#102

Open
factory-service-snyk wants to merge 1 commit into
devfrom
snyk-fix-d0f5c2656d36dea468eb86e6bb4bbcee
Open

[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#102
factory-service-snyk wants to merge 1 commit into
devfrom
snyk-fix-d0f5c2656d36dea468eb86e6bb4bbcee

Conversation

@factory-service-snyk

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • package.json
⚠️ Warning
Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Inefficient Algorithmic Complexity
SNYK-JS-SHELLQUOTE-17457810
  710  

Breaking Change Risk

Merge Risk: Low

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-17457810
@factory-service-snyk

Copy link
Copy Markdown
Author

Merge Risk: Low

This is a minor version upgrade. The changes introduce new features and do not contain any documented breaking changes.

Key Changes:

  • New Features: Adds support for <<< (here strings) and duplicating input file descriptors in the parser.
  • Deep Imports: The parse and quote functions are now available as deep imports (shell-quote/parse and shell-quote/quote).

No breaking changes were identified in the release notes for this version range.

Source: Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@factory-droid

factory-droid Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Droid finished @factory-service-snyk's task —— View job


Security Review

Droid review complete.

As written, this PR likely does not apply the intended shell-quote security upgrade to the code path that actually runs in GitHub Actions (base-action). Update base-action and regenerate the relevant lockfiles so the installed version is shell-quote@1.9.0.

Comment thread package.json
"@octokit/rest": "^21.1.1",
"@octokit/webhooks-types": "^7.6.1",
"shell-quote": "^1.8.3",
"shell-quote": "^1.9.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1] Upgrade shell-quote where the action actually runs (base-action)

This PR bumps shell-quote only in the repo-root package.json, but action.yml installs and runs ${GITHUB_ACTION_PATH}/base-action (with its own package.json and lockfiles) and that package still pins shell-quote@^1.8.3. As a result, the code that imports shell-quote at runtime (for example base-action/src/run-droid.ts) will continue to use the old version unless base-action/package.json (and its lockfiles) are updated too.

Comment thread package.json
"@octokit/rest": "^21.1.1",
"@octokit/webhooks-types": "^7.6.1",
"shell-quote": "^1.8.3",
"shell-quote": "^1.9.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P1] [security] Regenerate lockfiles so the upgrade is actually installed

Even with the package.json range bumped, the lockfiles in this repo still resolve shell-quote@1.8.3 (root bun.lock / package-lock.json, plus base-action/ lockfiles). Please re-run installs and commit the updated lockfiles for the package(s) that CI installs (${GITHUB_ACTION_PATH} and ${GITHUB_ACTION_PATH}/base-action) so shell-quote@1.9.0 is what actually gets shipped/installed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants