[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#101
[Snyk] Security upgrade shell-quote from 1.8.3 to 1.9.0#101factory-service-snyk wants to merge 1 commit into
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-SHELLQUOTE-17457810
|
This is a minor version upgrade. The changes introduce new features and do not contain any documented breaking changes. Key Changes:
No breaking changes were identified in the release notes for this version range. Source: Changelog
|
|
Droid finished @factory-service-snyk's task —— View job The dependency range bump is fine, but the PR needs the base-action lockfiles updated so the upgrade is actually applied and installs remain deterministic. |
| "dependencies": { | ||
| "@actions/core": "^1.10.1", | ||
| "shell-quote": "^1.8.3" | ||
| "shell-quote": "^1.9.0" |
There was a problem hiding this comment.
[P0] [security] Update base-action lockfiles for shell-quote@^1.9.0
base-action/package.json bumps shell-quote to ^1.9.0, but base-action/package-lock.json and base-action/bun.lock still pin shell-quote@1.8.3, so npm ci/frozen-lockfile installs can fail and CI/runtime may continue using the vulnerable 1.8.3 until both lockfiles are regenerated and committed.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
base-action/package.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-SHELLQUOTE-17457810
Breaking Change Risk
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.