chore(deps-dev): bump shell-quote from 1.7.3 to 1.8.4 in /web#3934
chore(deps-dev): bump shell-quote from 1.7.3 to 1.8.4 in /web#3934dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [shell-quote](https://github.com/ljharb/shell-quote) from 1.7.3 to 1.8.4. - [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md) - [Commits](ljharb/shell-quote@v1.7.3...v1.8.4) --- updated-dependencies: - dependency-name: shell-quote dependency-version: 1.8.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security review — no findings
Reviewed PR #3934 (shell-quote 1.7.3 → 1.8.4 in web/package-lock.json).
Scope: Only package-lock.json changes; no application source changes.
Dependency context:
shell-quoteis a dev-only transitive dependency (@vue/cli-service→launch-editor-middleware→launch-editor→shell-quote), marked"dev": truethroughout the lockfile.- Semaphore does not import
shell-quotedirectly. - The only consumer usage is
shellQuote.parse(specifiedEditor)inlaunch-editor/guess.jswhen a developer-configured editor string is provided.
CVE-2026-9277 (fixed in 1.8.4): Command injection in quote() when callers pass object tokens with attacker-controlled .op values. This integration uses parse() on a string and spawns the editor with childProcess.spawn (no shell on Linux/macOS). The documented exploit path does not apply here.
Outcome: This PR is a security remediation (1.7.3 was affected; 1.8.4 is the patched release). No medium, high, or critical vulnerabilities were introduced or newly exposed by this change.
Slack summary: PR #3934 — clean. Dev-only shell-quote bump to 1.8.4; no exploitable paths found in Semaphore. Recommend merge.
Sent by Cursor Automation: Find vulnerabilities
Bumps shell-quote from 1.7.3 to 1.8.4.
Changelog
Sourced from shell-quote's changelog.
... (truncated)
Commits
ff166e2v1.8.44378a6e[Fix]quote: validate object-token shapes22ebec0[Dev Deps] update@ljharb/eslint-config,auto-changelog,eslint, `npmig...9f3caa3[Tests] increase coverage3344a04[readme] replace runkit CI badge with shields.io check-runs badge699c511[Dev Deps] update@ljharb/eslint-config487a9b4v1.8.301faaff[Fix] remove unnecessary backslash escaping in single quotesb19fc77v1.8.259d29ea[Fix]quote: preserve empty stringsMaintainer changes
This version was pushed to npm by ljharb, a new releaser for shell-quote since your current version.
Install script changes
This version adds
prepublishscript that runs during installation. Review the package contents before updating.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.