Skip to content

fix: upgrade shell-quote to 1.8.4 (CVE-2026-9277)#11031

Open
orbisai0security wants to merge 1 commit into
TanStack:mainfrom
orbisai0security:fix-cve-2026-9277-shell-quote
Open

fix: upgrade shell-quote to 1.8.4 (CVE-2026-9277)#11031
orbisai0security wants to merge 1 commit into
TanStack:mainfrom
orbisai0security:fix-cve-2026-9277-shell-quote

Conversation

@orbisai0security

@orbisai0security orbisai0security commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Summary

Upgrade shell-quote from 1.8.3 to 1.8.4 to fix CVE-2026-9277.

Vulnerability

Field Value
ID CVE-2026-9277
Severity CRITICAL
Scanner trivy
Rule CVE-2026-9277
File pnpm-lock.yaml
Assessment Likely exploitable

Description: shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators

Evidence

Scanner confirmation: trivy rule CVE-2026-9277 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

  • pnpm-workspace.yaml
  • pnpm-lock.yaml

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security

Summary by CodeRabbit

  • Chores
    • Updated a dependency pin to a newer fixed version to improve consistency and reduce risk from version drift.

Automated dependency upgrade by OrbisAI Security
@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 79d490d8-cb78-43a9-867c-b3fa99837079

📥 Commits

Reviewing files that changed from the base of the PR and between bb68fa0 and af06c91.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • pnpm-workspace.yaml

📝 Walkthrough

Walkthrough

This PR adds a single dependency override entry to pnpm-workspace.yaml, pinning the shell-quote package to version 1.8.4.

Changes

Dependency Override Update

Layer / File(s) Summary
Pin shell-quote version
pnpm-workspace.yaml
Adds an overrides entry forcing shell-quote to resolve to version 1.8.4.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

  • TanStack/query#10757: Modifies the same pnpm-workspace.yaml overrides block to pin a dependency version (chokidar) in the same manner.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description covers the fix well, but it misses the required template sections for the checklist and release impact. Add the required '🎯 Changes' section, both checklist items, and the '🚀 Release Impact' section with the correct checkbox.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: pinning shell-quote to 1.8.4 to address CVE-2026-9277.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant