chore: upgrade shell-quote to ^1.8.4 to address CVE-2026-9277

[jsourcebot]

Fixes SOU-1303

Addresses CVE-2026-9277 (GHSA-w7jw-789q-3m8p) — command injection via unescaped line terminators in shell-quote's quote().

shell-quote is pulled in transitively (dev-only) by two top-level devDependencies:

• concurrently@9.2.1 pins it to exactly 1.8.3 (vulnerable). No patched 9.x exists; the only top-level fix is a major bump to concurrently@10, so per our CVE guidelines this falls back to a qualified resolutions override forcing ^1.8.4.
• npm-run-all@4.1.5 requested ^1.6.1 but the lockfile was stale at 1.8.2; yarn up -R shell-quote refreshed it to 1.8.4.

After the change, yarn why shell-quote shows both consumers resolving to the patched 1.8.4, and the two lockfile entries collapse into one.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Upgraded a core dependency to improve stability and security.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0cfd65fb-34d9-4727-b462-aa137fc7a27c

📥 Commits

Reviewing files that changed from the base of the PR and between 5a15a7e and 02d38e6.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• CHANGELOG.md
• package.json

---

Walkthrough

This PR updates the shell-quote dependency to version 1.8.4 by adding a resolution override in package.json and documents the upgrade in the changelog under the Fixed section for the unreleased version.

Changes

shell-quote dependency upgrade

Layer / File(s)	Summary
shell-quote resolution pin and changelog package.json, CHANGELOG.md	shell-quote is pinned to version 1.8.4 in the package.json resolutions map, and the upgrade is documented in the changelog as a fix for the unreleased version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: upgrading shell-quote to address a specific CVE vulnerability, which aligns with the changeset modifications to CHANGELOG.md and package.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch jminnetian/SOU-1303

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

❌ Status: FAIL

Metric	Count
Total packages	2135
Resolved (non-standard)	10
Unresolved	1
Strong copyleft	0
Weak copyleft	39

Fail Reasons

• 1 package has an unresolvable license: element-source

Unresolved Packages

Package	Version	License	Reason
element-source	0.0.3	UNKNOWN	No license field on npm (all versions), no repository, homepage, or README. No LICENSE declaration found anywhere; could not determine the actual license.

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	Apache-2.0 AND LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	(MPL-2.0 OR Apache-2.0)
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (10)

Package	Version	Original	Resolved	Source
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	npm registry (registry.npmjs.org)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	npm registry (registry.npmjs.org)
map-stream	0.1.0	UNKNOWN	MIT	npm registry (registry.npmjs.org)
memorystream	0.3.1	UNKNOWN	MIT	npm registry (license field object [{type:MIT}])
valid-url	1.0.9	UNKNOWN	MIT	GitHub repo (ogt/valid-url LICENSE file states MIT)
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	GitHub repo (PostHog/posthog-js LICENSE file is Apache-2.0)
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE is MIT)
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE is MIT)
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo (aidenybai/react-grab LICENSE is MIT)
pause-stream	0.0.11	["MIT","Apache2"]	MIT OR Apache-2.0	extracted from object (license array in package metadata)