fix(deps): pin shell-quote to ^1.8.4 (CVE-2026-9277)#319
Open
msingleton wants to merge 1 commit into
Open
Conversation
Resolves GitHub Dependabot alert #287 / Vanta CRITICAL (CVSS 8.1). shell-quote <= 1.8.3 fails to escape line terminators in object-token .op fields passed to quote(), allowing shell command injection in callers that build object tokens from untrusted input. Reaches via launch-editor (Metro dev server) and react-devtools-core — both dev/ build-only tooling, never bundled into the published SDK and never fed attacker input, so not exploitable in our usage. Pinned anyway per the established resolutions pattern; patch bump satisfies both consumers' ranges (^1.6.1, ^1.8.3). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Pins
shell-quoteto^1.8.4via theresolutionsblock to resolve CVE-2026-9277 (CRITICAL, CVSS 8.1) — GitHub Dependabot alert #287.Vulnerability
shell-quote≤ 1.8.3 does not escape line terminators in the.opfield of object tokens passed toquote(). A literal newline passes through unescaped and POSIX shells treat it as a command separator → shell command injection in callers that build object tokens from untrusted input.Exposure assessment
Transitive dev/build-only dependency, pulled in by:
launch-editor@2.13.1(Metro dev server's editor opener)react-devtools-core@6.1.5Neither is bundled into the published SDK (
lib/), and neither is fed attacker-controlled input. Not exploitable in our usage — but pinned anyway, consistent with the existingfast-xml-parser/fast-uri/babel-systemjsresolutions precedent. Patch bump (1.8.3 -> 1.8.4) satisfies both consumers' ranges (^1.6.1,^1.8.3).