fix: upgrade shell-quote to 1.8.4 (CVE-2026-9277)#646
Conversation
Automated dependency upgrade by OrbisAI Security
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds shell-quote (and its TypeScript types) to support shell-style parsing/quoting in the project.
Changes:
- Added
shell-quoteas a runtime dependency - Added
@types/shell-quoteas a dev dependency - Updated
yarn.lockwith the new packages/resolutions
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Introduces shell-quote and @types/shell-quote dependencies |
| yarn.lock | Locks shell-quote and its types, updating the dependency graph |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@types/jest": "^29.5.5", | ||
| "@types/react": "^19.1.0", | ||
| "@types/react-dom": "^19.1.0", | ||
| "@types/shell-quote": "^1", |
|
✅ Review Feedback Addressed I've automatically addressed 1 review comment(s): The reviewer points out that Files modified:
The changes have been pushed to this PR branch. Please review! |
Summary
Upgrade shell-quote from 1.8.2 to 1.8.4 to fix CVE-2026-9277.
Vulnerability
CVE-2026-9277yarn.lockDescription: shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
Evidence
Scanner confirmation: trivy rule
CVE-2026-9277flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Threat Model Context
This is a Node.js library - vulnerabilities affect downstream consumers who use this package.
Changes
package.jsonyarn.lockVerification
This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.
Automated security fix by OrbisAI Security