Skip to content

Commit 90a0fe8

Browse files
renovate[bot]renovate[bot]
authored
chore(deps): update dependency zx to v8.8.5 [security] (#17)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [zx](https://google.github.io/zx/) ([source](https://redirect.github.com/google/zx)) | [`8.7.1` → `8.8.5`](https://renovatebot.com/diffs/npm/zx/8.7.1/8.8.5) | ![age](https://developer.mend.io/api/mc/badges/age/npm/zx/8.8.5?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/zx/8.7.1/8.8.5?slim=true) | ### GitHub Vulnerability Alerts #### [CVE-2025-13437](https://nvd.nist.gov/vuln/detail/CVE-2025-13437) When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory. --- ### Release Notes <details> <summary>google/zx (zx)</summary> ### [`v8.8.5`](https://redirect.github.com/google/zx/releases/tag/8.8.5): — Temporary Reservoir [Compare Source](https://redirect.github.com/google/zx/compare/8.8.4...8.8.5) This release fixes the issue, when zx flushes external `node_modules` on linking [#&#8203;1348](https://redirect.github.com/google/zx/issues/1348) [#&#8203;1349](https://redirect.github.com/google/zx/issues/1349) [#&#8203;1355](https://redirect.github.com/google/zx/issues/1355) Also [`globby@15.0.0`](https://redirect.github.com/sindresorhus/globby/releases/tag/v15.0.0) arrives here. ### [`v8.8.4`](https://redirect.github.com/google/zx/releases/tag/8.8.4): — Flange Coupling [Compare Source](https://redirect.github.com/google/zx/compare/8.8.3...8.8.4) It's time. This release updates zx internals to make [the `ps` API](https://google.github.io/zx/api#ps) and related methods `ProcessPromise.kill()`, `kill()` work on Windows systems without [`wmic`](https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmic). [#&#8203;1344](https://redirect.github.com/google/zx/pull/1344) [webpod/ps#15](https://redirect.github.com/webpod/ps/pull/15) > 1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000) > 2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025. <https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration> ### [`v8.8.3`](https://redirect.github.com/google/zx/releases/tag/8.8.3): — Sealing Gasket [Compare Source](https://redirect.github.com/google/zx/compare/8.8.2...8.8.3) Continues [#&#8203;1339](https://redirect.github.com/google/zx/pull/1339) to prevent injections via `Proxy` input or custom `toString()` manipulations. ### [`v8.8.2`](https://redirect.github.com/google/zx/releases/tag/8.8.2): — Leaking Valve [Compare Source](https://redirect.github.com/google/zx/compare/8.8.1...8.8.2) Fixes potential cmd injection via `kill()` method for Windows platform. [#&#8203;1337](https://redirect.github.com/google/zx/issues/1337) [#&#8203;1339](https://redirect.github.com/google/zx/pull/1339). Affects the versions range `8.7.1...8.8.1`. ### [`v8.8.1`](https://redirect.github.com/google/zx/releases/tag/8.8.1): — Turbo Flush [Compare Source](https://redirect.github.com/google/zx/compare/8.8.0...8.8.1) We keep improving the projects internal infra to bring more stability, safety and performance for artifacts. ##### Featfixes - Applied flags filtration for CLI-driven deps install [#&#8203;1308](https://redirect.github.com/google/zx/pull/1308) - Added `kill()` event logging [#&#8203;1312](https://redirect.github.com/google/zx/pull/1312) - Set `SIGTERM` as `kill()` fallback signal [#&#8203;1313](https://redirect.github.com/google/zx/pull/1313) - Allowed `stdio()` arg be an array [#&#8203;1311](https://redirect.github.com/google/zx/pull/1311) ```ts const p = $({halt: true})`cmd` p.stdio([stream, 'ignore', 'pipe']) ``` ##### Enhancements - Added check for **zx\@&#8203;lite** pkg contents [#&#8203;1317](https://redirect.github.com/google/zx/pull/1317) [#&#8203;1316](https://redirect.github.com/google/zx/issues/1316) - Simplified `ProcessPromise[asyncIterator]` inners [#&#8203;1307](https://redirect.github.com/google/zx/pull/1307) - Updated deps: chalk 5.6.0, fs-extra 11.3.1, yaml 2.8.1 [#&#8203;1309](https://redirect.github.com/google/zx/pull/1309) [#&#8203;1323](https://redirect.github.com/google/zx/pull/1323) [#&#8203;1326](https://redirect.github.com/google/zx/pull/1326) - Added TS\@&#8203;next to the test matrix [#&#8203;1310](https://redirect.github.com/google/zx/pull/1310) - Optimized internal `shell` setters [#&#8203;1314](https://redirect.github.com/google/zx/pull/1314) - Refactored build-publish pipelines and scripts [#&#8203;1319](https://redirect.github.com/google/zx/pull/1319) [#&#8203;1320](https://redirect.github.com/google/zx/pull/1320) [#&#8203;1321](https://redirect.github.com/google/zx/pull/1321) [#&#8203;1322](https://redirect.github.com/google/zx/pull/1322) [#&#8203;1324](https://redirect.github.com/google/zx/pull/1324) [#&#8203;1325](https://redirect.github.com/google/zx/pull/1325) [#&#8203;1327](https://redirect.github.com/google/zx/pull/1327) ### [`v8.8.0`](https://redirect.github.com/google/zx/releases/tag/8.8.0): — Pressure Tested [Compare Source](https://redirect.github.com/google/zx/compare/8.7.2...8.8.0) This release enhances the coherence between the **ProcessPromise** and the **Streams API**, eliminating the need for certain script-level workarounds. ##### ✨ New Features ##### `unpipe()` — Selectively stop piping You can now call `.unpipe()` to stop data transfer from a source to a destination without closing any of the pair. [#&#8203;1302](https://redirect.github.com/google/zx/pull/1302) ```ts const p1 = $`echo foo && sleep 0.1 && echo bar && sleep 0.1 && echo baz && sleep 0.1 && echo qux` const p2 = $`echo 1 && sleep 0.15 && echo 2 && sleep 0.1 && echo 3` const p3 = $`cat` p1.pipe(p3) p2.pipe(p3) setTimeout(() => p1.unpipe(p3), 150) const { stdout } = await p3 // 'foo\n1\nbar\n2\n3\n' ``` ##### Many-to-one piping Multiple sources can now stream into a single destination. All sources complete before the destination closes. [#&#8203;1300](https://redirect.github.com/google/zx/pull/1300) ```ts const $h = $({ halt: true }) const p1 = $`echo foo` const p2 = $h`echo a && sleep 0.1 && echo c && sleep 0.2 && echo e` const p3 = $h`sleep 0.05 && echo b && sleep 0.1 && echo d` const p4 = $`sleep 0.4 && echo bar` const p5 = $h`cat` await p1 p1.pipe(p5) p2.pipe(p5) p3.pipe(p5) p4.pipe(p5) const { stdout } = await p5.run() // 'foo\na\nb\nc\nd\ne\nbar\n' ``` ##### Piping from rejected processes Processes that exit with errors can now still pipe their output. The internal recorder retains their stream, status, and exit code. [#&#8203;1296](https://redirect.github.com/google/zx/pull/1296) ```ts const p1 = $({ nothrow: true })`echo foo && exit 1` await p1 const p2 = p1.pipe($({ nothrow: true })`cat`) await p2 p1.output.toString() // 'foo\n' p1.output.ok // false p1.output.exitCode // 1 p2.output.toString() // 'foo\n' p2.output.ok // false p2.output.exitCode // 1 ``` ##### Components versions Since zx bundles third-party libraries without their package.jsons, their versions weren’t previously visible. You can now access them via the `versions` static map — including zx itself. [#&#8203;1298](https://redirect.github.com/google/zx/pull/1298) [#&#8203;1295](https://redirect.github.com/google/zx/pull/1295) ```ts import { versions } from 'zx' versions.zx // 8.7.2 versions.chalk // 5.4.1 ``` ### [`v8.7.2`](https://redirect.github.com/google/zx/releases/tag/8.7.2): — Copper Crafter [Compare Source](https://redirect.github.com/google/zx/compare/8.7.1...8.7.2) Stability and customizability improvements - Handle `nothrow` option on `ProcessPromise` init stage [#&#8203;1288](https://redirect.github.com/google/zx/pull/1288) ```ts const o = await $({ nothrow: true })`\033` o.ok // false o.cause // Error ``` - Handle `_snapshot.killSignal` value on `kill()` [#&#8203;1287](https://redirect.github.com/google/zx/pull/1287) ```ts const p = $({killSignal: 'SIGKILL'})`sleep 10` await p.kill() p.signal // 'SIGKILL' ``` - Introduced `Fail` class [#&#8203;1285](https://redirect.github.com/google/zx/pull/1285) ```ts import { Fail } from 'zx' Fail.EXIT_CODES['2'] = 'Custom error message' Fail.formatErrorMessage = (err: Error, from: string): string => `${err.message} (${from})` ``` - Expose `$` as type [#&#8203;1283](https://redirect.github.com/google/zx/pull/1283) ```ts import type { $, Options } from 'zx' const custom$: $ = (pieces: TemplateStringsArray | Partial<Options>, ...args: any[]) => { // ... custom implementation } ``` - Internal tweak ups [#&#8203;1276](https://redirect.github.com/google/zx/pull/1276) [#&#8203;1277](https://redirect.github.com/google/zx/pull/1277) [#&#8203;1278](https://redirect.github.com/google/zx/pull/1278) [#&#8203;1279](https://redirect.github.com/google/zx/pull/1279) [#&#8203;1280](https://redirect.github.com/google/zx/pull/1280) [#&#8203;1281](https://redirect.github.com/google/zx/pull/1281) [#&#8203;1282](https://redirect.github.com/google/zx/pull/1282) [#&#8203;1286](https://redirect.github.com/google/zx/pull/1286) [#&#8203;1289](https://redirect.github.com/google/zx/pull/1289) - Described the zx architecture basics. This section helps to better understand the zx concepts and internal logic, and will be useful for those who want to become a project contributor, make tools based on it, or create something similar from scratch. [#&#8203;1290](https://redirect.github.com/google/zx/pull/1290) [#&#8203;1291](https://redirect.github.com/google/zx/pull/1291) [#&#8203;1292](https://redirect.github.com/google/zx/pull/1292) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTcuMCIsInRhcmdldEJyYW5jaCI6InRydW5rIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInNlY3VyaXR5Il19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
1 parent 7df6522 commit 90a0fe8

2 files changed

Lines changed: 9 additions & 8 deletions

File tree

packages/breeze/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@
2121
"tsx": "4.20.3",
2222
"typescript": "5.8.3",
2323
"vitest": "3.2.4",
24-
"zx": "8.7.1"
24+
"zx": "8.8.5"
2525
},
2626
"engines": {
2727
"pnpm": ">=10.10.0"

pnpm-lock.yaml

Lines changed: 8 additions & 7 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)