Skip to content

CF-16340: fix(deps): upgrade shell-quote to 1.8.4 to fix vulnerability GHSA-w7jw-789q-3m8p#218

Draft
midnight-clue[bot] wants to merge 1 commit into
mainfrom
claude/CF-16340-fix-shell-quote-security
Draft

CF-16340: fix(deps): upgrade shell-quote to 1.8.4 to fix vulnerability GHSA-w7jw-789q-3m8p#218
midnight-clue[bot] wants to merge 1 commit into
mainfrom
claude/CF-16340-fix-shell-quote-security

Conversation

@midnight-clue

@midnight-clue midnight-clue Bot commented Jun 17, 2026

Copy link
Copy Markdown

Summary

Fixes critical security vulnerability GHSA-w7jw-789q-3m8p in the shell-quote package. The quote() function did not escape newlines in object .op values (affected range >= 1.1.0, <= 1.8.3). shell-quote was a transitive (dev-scope) dependency pinned at 1.8.3.

Change

  • Added a pnpm.overrides entry in package.json: "shell-quote@>=1.1.0 <1.8.4": "1.8.4" to force the patched version for all consumers.
  • Regenerated pnpm-lock.yaml via pnpm install; shell-quote now resolves to 1.8.4.

Verification

  • grep 'shell-quote@' pnpm-lock.yaml shows 1.8.4 and no 1.8.3-or-lower entries remain.
  • pnpm install completes without errors.

References

🤖 Claude session

@claude @gyg-persien
fix(deps): upgrade shell-quote to 1.8.4 to fix vulnerability GHSA-w7j…
b6e1fb5 
…w-789q-3m8p

Co-Authored-By: victor.persien <victor.persien@getyourguide.com>
@gyg-pr-tool gyg-pr-tool Bot changed the title fix(deps): upgrade shell-quote to 1.8.4 to fix vulnerability GHSA-w7jw-789q-3m8p CF-16340: fix(deps): upgrade shell-quote to 1.8.4 to fix vulnerability GHSA-w7jw-789q-3m8p Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@claude