Skip to content

chore(deps): update dependency shelljs to ^0.8.0 [security] #206

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update dependency shelljs to ^0.8.0 [security] #206

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link

@renovate renovate bot commented Nov 26, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
shelljs ^0.7.6 -> ^0.8.0 age confidence

GitHub Vulnerability Alerts

GHSA-64g7-mvw6-v9qj

Impact

Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

CVE-2022-0144

shelljs is vulnerable to Improper Privilege Management

Improper Privilege Management in shelljs

GHSA-64g7-mvw6-v9qj

More information

Details

Impact

Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Improper Privilege Management in shelljs

CVE-2022-0144 / GHSA-4rq4-32rv-6wp6

More information

Details

shelljs is vulnerable to Improper Privilege Management

Severity

  • CVSS Score: 7.1 / 10 (High)
  • Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

shelljs/shelljs (shelljs)

v0.8.5

Compare Source

Full Changelog

This was a small security fix for #​1058.

v0.8.4

Compare Source

Full Changelog

This was a small security fix for #​1058.

v0.8.3

Compare Source

Full Changelog

Small patch release to fix a circular dependency warning in node v14. See #​973.

v0.8.2

Compare Source

Full Changelog

Closed issues:

  • Shelljs print stderr to console even if exec-only "silent" is true #​905
  • refactor: remove common.state.tempDir #​902
  • Can't suppress stdout for echo #​899
  • exec() doesn't apply the arguments correctly #​895
  • shell.exec('npm pack') painfully slow #​885
  • shelljs.exec cannot find app.asar/node_modules/shelljs/src/exec-child.js #​881
  • test infra: mocks and skipOnWin conflict #​862
  • Support for shell function completion on IDE #​859
  • echo command shows options in stdout #​855
  • silent does not always work #​851
  • Appveyor installs the latest npm, instead of the latest compatible npm #​844
  • Force symbolic link (ln -sf) does not overwrite/recreate existing destination #​830
  • inconsistent result when trying to echo to a file #​798
  • Prevent require()ing executable-only files #​789
  • Cannot set property to of [object String] which has only a getter #​752
  • which() should check executability before returning a value #​657
  • Bad encoding experience #​456
  • phpcs very slow #​440
  • Error shown when triggering a sigint during shelljs.exec if process.on sigint is defined #​254
  • .to\(file\) does not mute STDIO output #​146
  • Escaping shell arguments to exec() #​143
  • Allow multiple string arguments for exec() #​103
  • cp does not recursively copy from readonly location #​98
  • Handling permissions errors on file I/O #​64

Merged pull requests:

v0.8.1

Compare Source

Full Changelog

Closed issues:

  • High severity vulnerability in shelljs 0.8.1 #​842
  • Add test for ls() on a symlink to a directory #​795
  • Harden shell.exec by writing the child process in a source file #​782
  • shell.exec() doesn't respond correctly to config.fatal = true #​735
  • Merge 'exec: internal error' with ShellJSInternalError #​734
  • exec returning null from command #​724
  • Only Get Stderr from Exec #​371
  • Execute child.stdout.on before child.on("exit") #​224

Merged pull requests:

v0.8.0

Compare Source

Full Changelog

Closed issues:

  • Exec failing with internal error when piping large output #​818

Merged pull requests:

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant