Update dependency shelljs to ^0.10.0 [SECURITY] by renovate[bot] · Pull Request #15 · BeeTech-global/generator-api-ecma6

renovate · 2023-05-29T23:51:51Z

This PR contains the following updates:

Package	Change	Age	Confidence
shelljs	`^0.7.7` → `^0.10.0`

GitHub Vulnerability Alerts

GHSA-64g7-mvw6-v9qj

Impact

Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

Ask at https://github.com/shelljs/shelljs/issues/1058
Open an issue at https://github.com/shelljs/shelljs/issues/new

CVE-2022-0144

shelljs is vulnerable to Improper Privilege Management

Release Notes

shelljs/shelljs (shelljs)

`v0.10.0`

Compare Source

What's Changed

chore: update deps by @nfischer in #1201
chore: rename master -> main by @nfischer in #1203
refactor: avoid dependency cycle by @nfischer in #1204
Enforce single quotes by @abluescarab in #1207
chore: update deps by @nfischer in #1209
refactor: use require instead of import by @nfischer in #1212
refactor: use promises for utils.runScript by @nfischer in #1211
refactor: use expectations for t.throws by @nfischer in #1213
refactor: prefer promises over test.cb by @nfischer in #1214
refactor: allow es6 language features by @nfischer in #1215
refactor: use es6 class syntax for CommandError by @nfischer in #1217
chore: update ava by @nfischer in #1218
fix: cmd is compatible with node 22.10 by @nfischer in #1219
refactor: explicit handling for execa errors by @nfischer in #1220
Add -B, -A, and -C options to grep by @abluescarab in #1206
refactor: change how internal errors are handled by @nfischer in #1222
Deprecate the shjs binary by @nfischer in #1225
bump execa dependency version by @y-nk in #1216

New Contributors

@abluescarab made their first contribution in #1207
@y-nk made their first contribution in #1216

Full Changelog: shelljs/shelljs@v0.9.2...v0.10.0

`v0.9.2`

Compare Source

What's Changed

test: add tests for shelljs glob expansion by @nfischer in #1198
chore: remove unused env var by @nfischer in #1199
fix: add package.json to exports list by @nfischer in #1200

Full Changelog: shelljs/shelljs@v0.9.1...v0.9.2

`v0.9.1`

Compare Source

What's Changed

fix: add global.js and plugin.js to exports list by @nfischer in #1196

Full Changelog: shelljs/shelljs@v0.9.0...v0.9.1

`v0.9.0`

Compare Source

What's Changed

fix: Exit 1 with empty string if no match by @wyardley in #901
feat(cp): support update flag when recursing by @joshi-sh in #889
ci: change language to node_js and remove obsolete scripts by @DanielRuf in #910
chore: remove gitter integration by @nfischer in #907
chore(npm): remove lockfile by @nfischer in #911
chore: script to bump supported node versions by @nfischer in #913
chore(node): drop node v4 and v5 by @nfischer in #917
fix(exec): consistent error message for maxBuffer by @nfischer in #919
chore(test): no coverage by default by @nfischer in #920
chore(node): add v10 and v11 to CI by @nfischer in #921
test(touch): add coverage for -d option by @nfischer in #925
feat(options): initial support for long options by @nfischer in #926
docs: clarify which methods return ShellStrings by @nfischer in #934
docs: fix typo by @Jason-Cooke in #943
chore(lint): alphabetize lint rules by @nfischer in #946
chore(lint): upgrade eslint by @nfischer in #947
docs(sed): clarify using sed with newlines in #949
docs(exec): document security concerns by @nfischer in #950
docs(exec): minor wording changes on security doc by @nfischer in #951
chore(lint): update lint dependencies by @nfischer in #948
Add boolean fatal option to exec() function by @WesCossick in #961
test: misc test changes by @nfischer in #970
chore: update dev deps by @nfischer in #971
Silence potentially upcoming circular dependency warning by @addaleax in #973
fix(exec): join paths correctly by @nfischer in #975
feat: add shell.cmd to replace exec by @nfischer in #866
Update “OS X” to “macOS” by @sonicdoe in #977
chore: support up to node v13 by @nfischer in #978
fix(mv): Fix moving files across volumes by @christopherthielen in #982
Update ls with glob example. by @smack0007 in #1006
chore: change supported node versions by @nfischer in #1011
Cleanup LICENSE by @reviewher in #966
test(cmd): add test for caret char by @nfischer in #1017
fix(mkdir): mitigate directory creation race condition by @rivy in #1019
Added mkdir -p tests for subdirectories by @JessieFrance in #1026
remove file extension by @JessieFrance in #1033
Fix test command example by @wafuwafu13 in #1043
chore: set up GitHub Actions CI by @nfischer in #1055
Removed mentions of documentup website by @fineon in #1056
fix(exec): lockdown file permissions by @nfischer in #1060
chore: add SECURITY.md by @nfischer in #1061
docs(ls): document the toString() override by @nfischer in #1065
docs(chmod): briefly mention Windows file perms by @nfischer in #1066
sed with -i option now runs silently by @joshi-sh in #959
Feature: Expose Error Code by @JessieFrance in #1036
Feature/grep n by @fhanrath in #1057
Added support for -n +NUM in tail.js (with sign) by @A-725-K in #1027
chore: remove codecov devDependency by @nfischer in #1069
chore: update deps by @nfischer in #1072
test(cp): fix cp -Ru test cases by @nfischer in #1073
Add preserve option to cp by @nfischer in #869
docs(import): document es6 import command by @nfischer in #1077
docs(touch): clarify docs for touch() command by @nfischer in #1078
Added -L to find to visit symlinked folders too. by @mperrando in #1080
chore: update CI to include v18 by @nfischer in #1099
chore: add codecov token by @nfischer in #1125
chore: update CI to test against node v20 by @nfischer in #1123
fix: shell.errorCode() honors shell.exit(code) by @nfischer in #1122
docs: fix typo in security policy by @nfischer in #1134
chore: update nyc to v15 by @nfischer in #1139
chore: keep node < 16 around longer by @nfischer in #1141
chore: remove codecov token by @nfischer in #1138
test: add coverage for exit function by @nfischer in #1142
Bump GitHub workflow actions to latest versions by @deining in #1136
Fixing typos by @deining in #1137
Exports shell.js and make.js on package.json by @alexojegu in #1135
test: make a test more forgiving for systems with non-standard bash and sh paths by @skeet70 in #1144
docs: change GitHub Actions README badge by @nfischer in #1145
chore: try codecov token again by @nfischer in #1151
test: create test files inside temp directory by @nfischer in #1150
chore: remove unsupported node configs from CI by @nfischer in #1159
test: add test coverage for some globOptions by @nfischer in #1163
test: add more coverage for globOptions by @nfischer in #1164
deprecate config.globOptions by @nfischer in #1152
Fix Windows test errors in src/ls.js and test/cp.js. by @kmashint in #1166
chore: switch to codecov v4 by @nfischer in #1167
chore(dependencies): update js-yaml by @nfischer in #1169
chore: pin node v22.9.0 by @nfischer in #1182
chore: switch to testing LTS releases only by @nfischer in #1183
chore: drop support for old node versions by @nfischer in #1181
Add the exit code to the fatal error thrown from common.error(). by @kmashint in #1179
refactor: unescape quotes by @nfischer in #1184
refactor: switch to fast-glob by @nfischer in #1153
feat: expose new shell.cmd() by @nfischer in #1185
refactor: move exec-child logic into main function by @nfischer in #1186
refactor: rewrite gendocs script without commands.js by @nfischer in #1187
chore: update maintainers list by @nfischer in #1188
test: document test for newline in cmd() function by @nfischer in #1189
refactor: prefer includes() over indexOf() by @nfischer in #1190
chore: commit package-lock.json by @nfischer in #1191
chore: update ava dep by @nfischer in #1193
Explicitly require commands by @Everspace in #1119
refactor: follow up fixes for static imports by @nfischer in #1194

New Contributors

@DanielRuf made their first contribution in #910
@Jason-Cooke made their first contribution in #943
@WesCossick made their first contribution in #961
@addaleax made their first contribution in #973
@sonicdoe made their first contribution in #977
@christopherthielen made their first contribution in #982
@smack0007 made their first contribution in #1006
@reviewher made their first contribution in #966
@rivy made their first contribution in #1019
@JessieFrance made their first contribution in #1026
@wafuwafu13 made their first contribution in #1043
@fineon made their first contribution in #1056
@fhanrath made their first contribution in #1057
@A-725-K made their first contribution in #1027
@mperrando made their first contribution in #1080
@deining made their first contribution in #1136
@alexojegu made their first contribution in #1135
@skeet70 made their first contribution in #1144
@kmashint made their first contribution in #1166
@Everspace made their first contribution in #1119

Full Changelog: shelljs/shelljs@v0.8.5...v0.9.0

`v0.8.5`

Compare Source

Full Changelog

This was a small security fix for #1058.

`v0.8.4`

Compare Source

Full Changelog

This was a small security fix for #1058.

`v0.8.3`

Compare Source

Full Changelog

Small patch release to fix a circular dependency warning in node v14. See #973.

`v0.8.2`

Compare Source

Full Changelog

Closed issues:

Shelljs print stderr to console even if exec-only "silent" is true #905
refactor: remove common.state.tempDir #902
Can't suppress stdout for echo #899
exec() doesn't apply the arguments correctly #895
shell.exec('npm pack') painfully slow #885
shelljs.exec cannot find app.asar/node_modules/shelljs/src/exec-child.js #881
test infra: mocks and skipOnWin conflict #862
Support for shell function completion on IDE #859
echo command shows options in stdout #855
silent does not always work #851
Appveyor installs the latest npm, instead of the latest compatible npm #844
Force symbolic link (ln -sf) does not overwrite/recreate existing destination #830
inconsistent result when trying to echo to a file #798
Prevent require()ing executable-only files #789
Cannot set property to of [object String] which has only a getter #752
which() should check executability before returning a value #657
Bad encoding experience #456
phpcs very slow #440
Error shown when triggering a sigint during shelljs.exec if process.on sigint is defined #254
.to\(file\) does not mute STDIO output #146
Escaping shell arguments to exec() #143
Allow multiple string arguments for exec() #103
cp does not recursively copy from readonly location #98
Handling permissions errors on file I/O #64

Merged pull requests:

Add test case for sed on empty file #904 (wyardley)
refactor: don't expose tempdir in common.state #903 (nfischer)
chore(ci): fix codecov on travis #897 (nfischer)
chore(npm): add ci-or-install script #896 (nfischer)
Fix silent exec #892 (nfischer)
chore(appveyor): run entire test matrix #886 (nfischer)
docs: remove gitter badge #880 (nfischer)
grep includes the i flag #876 (ppsleep)
Fix(which): match only executable files (#657) #874 (termosa)
chore: rename some tests #871 (nfischer)
Fix cp from readonly source #870 (nfischer)
chore: bump dev dependencies and add package-lock #864 (nfischer)
fix(mocks): fix conflict between mocks and skip #863 (nfischer)
chore: output npm version in travis #850 (nfischer)
Prevent require-ing bin/shjs #848 (freitagbr)
chore(appveyor): do not use latest npm #847 (nfischer)
chore: update shelljs-release version #846 (nfischer)

`v0.8.1`

Compare Source

Full Changelog

Closed issues:

High severity vulnerability in shelljs 0.8.1 #842
Add test for ls() on a symlink to a directory #795
Harden shell.exec by writing the child process in a source file #782
shell.exec() doesn't respond correctly to config.fatal = true #735
Merge 'exec: internal error' with ShellJSInternalError #734
exec returning null from command #724
Only Get Stderr from Exec #371
Execute child.stdout.on before child.on("exit") #224

Merged pull requests:

Workaround codecov bug of miscalculation of coverage (#795) #838 (dwi2)
Update doc comments and regenerate README.md. #825 (Zearin)
chore: update contributing guidelines #817 (nfischer)
chore(lint): don't allow excess trailing newlines #816 (nfischer)
Remove separate "internal error" from exec #802 (freitagbr)

`v0.8.0`

Compare Source

Full Changelog

Closed issues:

Exec failing with internal error when piping large output #818

Merged pull requests:

Revert "refactor(exec): remove paramsFile (#807)" #819 (nfischer)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jun 1, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 2cba2ac to 8fc2393 Compare June 1, 2023 16:20

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Jun 9, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch 2 times, most recently from d91da04 to 2a36205 Compare June 10, 2023 14:16

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jun 10, 2023

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Jun 14, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch 2 times, most recently from 966ae5f to b12c5c1 Compare June 17, 2023 05:21

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jun 17, 2023

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Jun 18, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from b12c5c1 to 774d406 Compare June 18, 2023 17:26

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jun 23, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 774d406 to 4cf3fee Compare June 23, 2023 02:19

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Jun 30, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 4cf3fee to dc49a4b Compare June 30, 2023 02:53

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jul 1, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from dc49a4b to 798bf88 Compare July 1, 2023 02:08

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Jul 7, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 798bf88 to bb0cdf2 Compare July 7, 2023 05:44

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jul 8, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from bb0cdf2 to 932fcfe Compare July 8, 2023 08:58

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Jul 10, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 932fcfe to 5c7276f Compare July 10, 2023 02:47

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jul 11, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 5c7276f to aeb2ec7 Compare July 11, 2023 23:52

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Jul 17, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from aeb2ec7 to d0b30d1 Compare July 17, 2023 02:55

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Jul 18, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from d0b30d1 to 2eac1f4 Compare July 18, 2023 08:45

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 7739c35 to 30dac10 Compare August 3, 2023 02:27

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Aug 10, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 30dac10 to 8749eff Compare August 10, 2023 05:38

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Aug 11, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 8749eff to 1ba59a3 Compare August 11, 2023 05:07

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Aug 21, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch 2 times, most recently from 35057ef to ca3bd60 Compare August 22, 2023 08:52

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Aug 22, 2023

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Aug 24, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from ca3bd60 to 0e27a33 Compare August 24, 2023 02:51

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Aug 26, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 0e27a33 to 596526c Compare August 26, 2023 15:00

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Aug 27, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 596526c to 4e3ea5b Compare August 27, 2023 17:57

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Aug 28, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 4e3ea5b to 2dc5436 Compare August 28, 2023 20:44

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Sep 2, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch 2 times, most recently from be43c9b to 39f05e3 Compare September 3, 2023 14:37

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Sep 3, 2023

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Sep 20, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 39f05e3 to d480ef5 Compare September 20, 2023 05:27

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Sep 21, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from d480ef5 to abfe94c Compare September 21, 2023 05:24

renovate bot changed the title ~~Update dependency shelljs to ^0.8.5 [SECURITY]~~ Update dependency shelljs to ^0.8.0 [SECURITY] Sep 27, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from abfe94c to 6fc010f Compare September 27, 2023 05:06

renovate bot changed the title ~~Update dependency shelljs to ^0.8.0 [SECURITY]~~ Update dependency shelljs to ^0.8.5 [SECURITY] Sep 28, 2023

renovate bot force-pushed the renovate/npm-shelljs-vulnerability branch from 6fc010f to 8cc0c51 Compare September 28, 2023 02:53

Update dependency shelljs to ^0.10.0 [SECURITY]

64d18b9

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update dependency shelljs to ^0.10.0 [SECURITY]#15

Update dependency shelljs to ^0.10.0 [SECURITY]#15
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-shelljs-vulnerability

renovate bot commented May 29, 2023 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented May 29, 2023 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

For more information

Release Notes

What's Changed

New Contributors

What's Changed

What's Changed

What's Changed

New Contributors

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented May 29, 2023 •

edited

Loading