From ef42bf8fd56d0798dbd5d1aba190b8737e215922 Mon Sep 17 00:00:00 2001 From: Stefan Steiner Date: Tue, 9 Jun 2026 18:54:50 -0700 Subject: [PATCH] =?UTF-8?q?chore(deps):=20bump=20shell-quote=201.8.3=20?= =?UTF-8?q?=E2=86=92=201.8.4=20(CVE-2026-9277)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit shell-quote <=1.8.3 does not escape newlines in object .op values, allowing command injection via crafted input to quote(). Severity: critical (GHSA-w7jw-789q-3m8p). Patched in 1.8.4. The vulnerable version was a transitive dep of `concurrently` in the `hyperdb-api-node/examples/hyper-explorer` example lockfile. Not exploitable in our usage (no user-supplied input reaches shell-quote), but best practice to patch critical CVEs regardless. --- .../examples/hyper-explorer/package-lock.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/hyperdb-api-node/examples/hyper-explorer/package-lock.json b/hyperdb-api-node/examples/hyper-explorer/package-lock.json index dc15128..191b05a 100644 --- a/hyperdb-api-node/examples/hyper-explorer/package-lock.json +++ b/hyperdb-api-node/examples/hyper-explorer/package-lock.json @@ -34,9 +34,9 @@ "../..": { "license": "MIT OR Apache-2.0", "devDependencies": { - "@napi-rs/cli": "^3.6.2", + "@napi-rs/cli": "^3.7.0", "apache-arrow": "^21.1.0", - "tsx": "^4.22.0" + "tsx": "^4.22.4" }, "engines": { "node": ">= 21" @@ -3648,9 +3648,9 @@ "license": "ISC" }, "node_modules/shell-quote": { - "version": "1.8.3", - "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.3.tgz", - "integrity": "sha512-ObmnIF4hXNg1BqhnHmgbDETF8dLPCggZWBjkQfhZpbszZnYur5DUljTcCHii5LC3J5E0yeO/1LIMyH+UvHQgyw==", + "version": "1.8.4", + "resolved": "https://registry.npmjs.org/shell-quote/-/shell-quote-1.8.4.tgz", + "integrity": "sha512-VsC6n6vz1ihYYyZZwX7YZSF5l5x36ca17OC+a69h94YqB7X6XLwf+5MOgynYir2SLFUbl8gIYvBo8K8RoNQ6bQ==", "dev": true, "license": "MIT", "engines": {