Skip to content

Fixes shell quote vulnerability.#239

Merged
johnnymatthews merged 7 commits into
mainfrom
fix/shell-quote-vuln
Jun 22, 2026
Merged

Fixes shell quote vulnerability.#239
johnnymatthews merged 7 commits into
mainfrom
fix/shell-quote-vuln

Conversation

@johnnymatthews

Copy link
Copy Markdown
Contributor

Closes security issue

shell-quote 1.8.3 doesn't escape newlines in object .op values, which
can allow shell injection. Pinned to >=1.8.4 via pnpm override.

Also migrated pnpm config out of package.json's "pnpm" field (ignored
since pnpm v11) into pnpm-workspace.yaml, and removed that file from
.gitignore so the override actually applies.
pnpm v11 no longer reads the "pnpm" field in package.json. All settings
were already migrated to pnpm-workspace.yaml in the previous commit.
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 19, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
shinzo-docs a908caa Commit Preview URL

Branch Preview URL
Jun 22 2026, 12:29 PM

Node 20 is deprecated on GitHub Actions runners. Also bumps pnpm from 9
to 11 to match the local version, which is required now that
pnpm-workspace.yaml exists (pnpm 9 fails with "packages field missing
or empty" when trying to resolve the store path).
Both packages are frequently updated and were published within the
24-hour minimumReleaseAge window when the lockfile was last generated,
causing CI to fail. Exempting them by name so any version installs
without the age check.
Cloudflare Pages bundles pnpm 10, which predates pnpm-workspace.yaml
as the settings file and fails with "packages field missing or empty".
The packageManager field tells Corepack (and Cloudflare) to download
and use the correct version.
shell-quote 1.8.3 does not escape newlines in object .op values,
allowing shell injection. Pinned to >=1.8.4 via pnpm override.
shell-quote 1.8.3 does not escape newlines in object .op values,
allowing shell injection. Pinned to >=1.8.4 via pnpm override.
@johnnymatthews johnnymatthews merged commit 06c169e into main Jun 22, 2026
2 checks passed
@johnnymatthews johnnymatthews deleted the fix/shell-quote-vuln branch June 22, 2026 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant