[Security] Bump shell-quote from 1.7.2 to 1.7.3 (!17) · Merge requests · tools / chat

Dependabot requested to merge dependabot-npm_and_yarn-shell-quote-1.7.3 into master Jul 18, 2022

Bumps shell-quote from 1.7.2 to 1.7.3. This update includes a security fix.

Vulnerabilities fixed

Improper Neutralization of Special Elements used in a Command in Shell-quote The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is {A-z] instead of the correct {A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.

Patched versions: 1.7.3 Affected versions: <= 1.7.2

Changelog

Sourced from shell-quote's changelog.

1.7.3

Fix a security issue where the regex for windows drive letters allowed some shell meta-characters to escape the quoting rules. (CVE-2021-42740)

Commits

6a8a899 1.7.3
5799416 fix for security issue with windows drive letter regex
c7de931 Add security.md
414853f Update readme.markdown (#43)
0fc4a97 use Github Actions (#42)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump shell-quote from 1.7.2 to 1.7.3

1.7.3

Merge request reports