Skip to content

chore(deps): update dependency zx to v8.8.5#7

Open
mend-for-github-com[bot] wants to merge 1 commit intomainfrom
whitesource-remediate/zx-8.x-lockfile
Open

chore(deps): update dependency zx to v8.8.5#7
mend-for-github-com[bot] wants to merge 1 commit intomainfrom
whitesource-remediate/zx-8.x-lockfile

Conversation

@mend-for-github-com
Copy link
Copy Markdown

@mend-for-github-com mend-for-github-com bot commented Nov 25, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
zx (source) dependencies patch 8.8.08.8.5
zx (source) dependencies minor 8.3.28.8.5

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score Vulnerability Reachability
High High 8.2 CVE-2025-13437

By merging this PR, the below vulnerabilities will be automatically resolved:

Severity CVSS Score Vulnerability Reachability
High High 8.2 CVE-2025-13437

Release Notes

google/zx (zx)

v8.8.5: — Temporary Reservoir

Compare Source

This release fixes the issue, when zx flushes external node_modules on linking #​1348 #​1349 #​1355

Also globby@15.0.0 arrives here.

v8.8.4: — Flange Coupling

Compare Source

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic.
#​1344 webpod/ps#15

  1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
  2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

v8.8.3: — Sealing Gasket

Compare Source

Continues #​1339 to prevent injections via Proxy input or custom toString() manipulations.

v8.8.2: — Leaking Valve

Compare Source

Fixes potential cmd injection via kill() method for Windows platform. #​1337 #​1339. Affects the versions range 8.7.1...8.8.1.

v8.8.1: — Turbo Flush

Compare Source

We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.

Featfixes
  • Applied flags filtration for CLI-driven deps install #​1308
  • Added kill() event logging #​1312
  • Set SIGTERM as kill() fallback signal #​1313
  • Allowed stdio() arg be an array #​1311
const p = $({halt: true})`cmd`
p.stdio([stream, 'ignore', 'pipe'])
Enhancements
  • If you want to rebase/retry this PR, check this box

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by Mend label Nov 25, 2025
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/zx-8.x-lockfile branch from ad43302 to 18541c0 Compare December 29, 2025 09:05
@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/zx-8.x-lockfile branch from 18541c0 to 3bd7c92 Compare February 11, 2026 03:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

security fix Security fix generated by Mend

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants