Skip to content

[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#101

Open
factory-service-snyk wants to merge 1 commit into
devfrom
snyk-fix-1cecd6301b26799cdb82f3a1f6cc8848
Open

[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#101
factory-service-snyk wants to merge 1 commit into
devfrom
snyk-fix-1cecd6301b26799cdb82f3a1f6cc8848

Conversation

@factory-service-snyk

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • base-action/package.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Inefficient Algorithmic Complexity
SNYK-JS-SHELLQUOTE-17457810
  710  

Breaking Change Risk

Merge Risk: Low

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@factory-service-snyk

Copy link
Copy Markdown
Author

Merge Risk: Low

This is a minor version upgrade. The changes introduce new features and do not contain any documented breaking changes.

Key Changes:

  • New Features: Adds support for <<< (here strings) and duplicating input file descriptors in the parser.
  • Deep Imports: The parse and quote functions are now available as deep imports (shell-quote/parse and shell-quote/quote).

No breaking changes were identified in the release notes for this version range.

Source: Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@factory-droid

factory-droid Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Droid finished @factory-service-snyk's task —— View job


Security Review

The dependency range bump is fine, but the PR needs the base-action lockfiles updated so the upgrade is actually applied and installs remain deterministic.

Comment thread base-action/package.json
"dependencies": {
"@actions/core": "^1.10.1",
"shell-quote": "^1.8.3"
"shell-quote": "^1.9.0"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[P0] [security] Update base-action lockfiles for shell-quote@^1.9.0

base-action/package.json bumps shell-quote to ^1.9.0, but base-action/package-lock.json and base-action/bun.lock still pin shell-quote@1.8.3, so npm ci/frozen-lockfile installs can fail and CI/runtime may continue using the vulnerable 1.8.3 until both lockfiles are regenerated and committed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants