Codestin Search App

axel7083 · 2026-05-27T07:52:20Z

Description

Addressing shell-quote GHSA-w7jw-789q-3m8p

shell-quote usage originate from the concurrently library, which is only used in dev environment.

$ pnpm why shell-quote
Legend: production dependency, optional only, dev only

[email protected] /[...]/podman-desktop-extension-hummingbird (PRIVATE)

devDependencies:
concurrently 9.2.1
└── shell-quote 1.8.3

Upstream

The concurrency repository has been updated (open-cli-tools/concurrently#591) but no release has been made.

I created an upstream issue open-cli-tools/concurrently#592 to keep track, and if concurrently is getting updated we should remove the override.

Signed-off-by: axel7083 <[email protected]>

benoitf · 2026-05-27T08:19:53Z

      "cookie": "0.7.0",
-      "postcss": "^8.5.12"
+      "postcss": "^8.5.12",
+      "shell-quote": ">=1.8.4"


could be more specific if only one dependency is depending on it like concurrently>shell-quote

Signed-off-by: axel7083 <[email protected]>

chore: overrides shell-quote version to >=1.8.4

047d74f

Signed-off-by: axel7083 <[email protected]>

podman-desktop-triager Bot requested a review from benoitf May 27, 2026 07:52

podman-desktop-triager Bot added the domain/hummingbird/inreview label May 27, 2026

benoitf approved these changes May 27, 2026

View reviewed changes

podman-desktop-triager Bot added domain/hummingbird/reviewed and removed domain/hummingbird/inreview labels May 27, 2026

benoitf reviewed May 27, 2026

View reviewed changes

podman-desktop-triager Bot added domain/hummingbird/inreview and removed domain/hummingbird/reviewed labels May 27, 2026

fix: apply @benoitf suggestion

87f0b00

Signed-off-by: axel7083 <[email protected]>

benoitf approved these changes May 27, 2026

View reviewed changes

podman-desktop-triager Bot added domain/hummingbird/reviewed and removed domain/hummingbird/inreview labels May 27, 2026

axel7083 merged commit 2f64f04 into redhat-developer:main May 27, 2026
5 checks passed

benoitf mentioned this pull request May 27, 2026

chore: fix CVE-2026-9277 in shell-quote podman-desktop/podman-desktop#17639

Merged

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: overrides shell-quote version to >=1.8.4#403

chore: overrides shell-quote version to >=1.8.4#403
axel7083 merged 2 commits into
redhat-developer:mainfrom
axel7083:security/overrides/shell-quote/1-8-4

axel7083 commented May 27, 2026

Uh oh!

benoitf May 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

axel7083 commented May 27, 2026

Description

Upstream

Uh oh!

benoitf May 27, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants