Skip to content

deps: upgrade shell-quote to 1.9.0#599

Merged
paescuj merged 1 commit into
open-cli-tools:mainfrom
Mayvis:deps/shell-quote-1.9.0
Jun 30, 2026
Merged

deps: upgrade shell-quote to 1.9.0#599
paescuj merged 1 commit into
open-cli-tools:mainfrom
Mayvis:deps/shell-quote-1.9.0

Conversation

@Mayvis

@Mayvis Mayvis commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps shell-quote from 1.8.4 to 1.9.0. The only consumer in this
codebase is lib/command-parser/expand-arguments.ts,
which uses quote() to escape the additional arguments substituted
into {1} / {@} / {*} placeholders.

Refs #597

Security

Pulls in fix for GHSA-395f-4hp3-45gv
/ CVE-2026-13311 — quadratic-time DoS in parse() (High, CVSS 7.5),
affected versions ≤ 1.8.4.

Note: concurrently only consumes quote(), so this codebase is not
directly exposed to the parse() DoS. The upgrade also picks up a
behavior change in quote() that escapes a leading ~ to prevent
unintended shell tilde-expansion, which is relevant to the
{1} / {@} / {*} placeholder pipeline.

Verification

  • pnpm typecheck — passes
  • pnpm test — 630 unit tests passing across 28 files
  • pnpm test:smoke — 4 smoke tests passing
  • pnpm build — succeeds
  • Manual CLI run:
    ./dist/bin/index.js -P 'echo arg is {1} all are {@}' -- foo bar
    arg is foo all are foo bar

Test plan

  • Type check
  • Unit tests
  • Smoke tests
  • Manual placeholder expansion sanity check

Bumps shell-quote from 1.8.4 to 1.9.0. Used by
lib/command-parser/expand-arguments.ts for quoting additional arguments
when expanding {1}, {@}, and {*} placeholders.

Verified with pnpm typecheck, pnpm test (630 tests), pnpm test:smoke
(4 tests), and a manual CLI run exercising placeholder expansion.
@coveralls

Copy link
Copy Markdown

Coverage Status

coverage: 98.858%. remained the same — Mayvis:deps/shell-quote-1.9.0 into open-cli-tools:main

@paescuj paescuj merged commit 49f7eb4 into open-cli-tools:main Jun 30, 2026
21 checks passed
@paescuj

paescuj commented Jun 30, 2026

Copy link
Copy Markdown
Collaborator

As correctly mentioned above, concurrently is NOT affected by GHSA-395f-4hp3-45gv!

@Mayvis Mayvis deleted the deps/shell-quote-1.9.0 branch June 30, 2026 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants