Skip to content

UID2-7289: upgrade shell-quote to 1.8.4 via npm overrides (CVE-2026-9277)#194

Merged
cYKatherine merged 1 commit into
mainfrom
kchen-UID2-7289-shell-quote-1.8.4
Jun 12, 2026
Merged

UID2-7289: upgrade shell-quote to 1.8.4 via npm overrides (CVE-2026-9277)#194
cYKatherine merged 1 commit into
mainfrom
kchen-UID2-7289-shell-quote-1.8.4

Conversation

@cYKatherine

@cYKatherine cYKatherine commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds "shell-quote": "^1.8.4" to the overrides section in both affected package.json files and regenerates their package-lock.json files. Fixes CVE-2026-9277 (CRITICAL — arbitrary code execution via crafted input to shell-quote).

Affected sub-packages:

  • web-integrations/google-secure-signals/react-client-side
  • web-integrations/javascript-sdk/react-client-side

Jira

UID2-7289

Test plan

  • CI vulnerability scan passes (Trivy no longer flags CVE-2026-9277)

@cYKatherine @claude
UID2-7289: upgrade shell-quote to 1.8.4 via npm overrides (CVE-2026-9277
cd0c9d1 
)

Add shell-quote: ^1.8.4 to overrides in both react-client-side package.json
files and regenerate their package-lock.json files.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cYKatherine cYKatherine merged commit 0d33b6c into main Jun 12, 2026
2 checks passed
@cYKatherine cYKatherine deleted the kchen-UID2-7289-shell-quote-1.8.4 branch June 12, 2026 06:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollins-ttd mcollins-ttd mcollins-ttd approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cYKatherine @mcollins-ttd