From 6b0103889f0835771b308dee422c60c7f5e60ff3 Mon Sep 17 00:00:00 2001 From: eightrice Date: Sat, 13 Jun 2026 17:36:44 +0300 Subject: [PATCH] chore: resolve shell-quote to 1.8.4 (clears critical CVE) shell-quote <1.8.4 has a critical command-injection advisory (quote() does not escape newlines in object .op values). It reaches us only transitively through react-scripts dev/build tooling: - react-scripts > react-dev-utils > shell-quote - react-scripts > webpack-dev-server > launch-editor > shell-quote Not in the production bundle (webpack-dev-server / react-dev-utils run only during `yarn start`), so not visitor-exploitable. Pinned via resolution anyway to keep the audit clean. In-range patch bump (1.8.3 -> 1.8.4), single copy in the tree. Audit: critical 2 -> 0. --- package.json | 3 ++- yarn.lock | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/package.json b/package.json index 729de943..7d77262b 100644 --- a/package.json +++ b/package.json @@ -132,7 +132,8 @@ "mipd": "0.0.7", "protobufjs": "7.5.8", "@noble/hashes": "1.8.0", - "dompurify": "3.4.3" + "dompurify": "3.4.3", + "shell-quote": "1.8.4" }, "overrides": { "viem": "2.17.4", diff --git a/yarn.lock b/yarn.lock index 10b5fc2e..4f65af85 100644 --- a/yarn.lock +++ b/yarn.lock @@ -16232,10 +16232,10 @@ shebang-regex@^3.0.0: resolved "https://registry.yarnpkg.com/shebang-regex/-/shebang-regex-3.0.0.tgz#ae16f1644d873ecad843b0307b143362d4c42172" integrity sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A== -shell-quote@^1.7.3, shell-quote@^1.8.3: - version "1.8.3" - resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.8.3.tgz#55e40ef33cf5c689902353a3d8cd1a6725f08b4b" - integrity sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw== +shell-quote@1.8.4, shell-quote@^1.7.3, shell-quote@^1.8.3: + version "1.8.4" + resolved "https://registry.yarnpkg.com/shell-quote/-/shell-quote-1.8.4.tgz#2edd9a4dcefc96649e2e2cb12f637b1f1d92a190" + integrity sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ== side-channel-list@^1.0.0: version "1.0.0"