[Snyk] Security upgrade shell-quote from 1.8.3 to 1.8.4

[factory-service-snyk]

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the package-lock.json, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Arbitrary Command Injection SNYK-JS-SHELLQUOTE-16799355	735

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Command Injection

[factory-droid]

Droid finished @factory-service-snyk's task —— View job

---

Droid is reviewing code and running a security check…

---

Review summary: The dependency bump is straightforward, but it’s currently incomplete: the root lockfiles still pin shell-quote@1.8.3, and the separately-installed base-action still depends on 1.8.3. Update the relevant lockfiles and bump base-action to ensure 1.8.4 is what’s installed in CI/runtime.

[factory-droid]

[P1] Update lockfiles to match shell-quote bump

package.json now requires shell-quote: ^1.8.4, but both lockfiles still pin/reference shell-quote@1.8.3 (bun.lock and package-lock.json), and this repo’s composite actions run bun install (e.g. action.yml, base-action/action.yml), so installs will drift/rewrite during runs and scanners may continue flagging 1.8.3 until the lockfiles are regenerated/updated.

[factory-droid]

[P1] [security] Also bump shell-quote in base-action to fully remediate

The root dependency bump won’t remove the vulnerable shell-quote@1.8.3 from all execution paths because base-action/package.json (and its lockfiles) still depend on shell-quote: ^1.8.3, and the composite workflows explicitly bun install the base-action separately; bumping only the root package can therefore leave SNYK-JS-SHELLQUOTE-16799355 present at runtime unless base-action is upgraded too.