[security] deps: vulnerability in shell-quote (critical) #95
Labels
No labels
autopilot:pending-human
source:analyste
source:defenseur
source:human
source:medic
status:approved
status:blocked
status:in-progress
status:needs-clarification
status:needs-fix
status:ready
status:review
status:triage
type:bug
type:feature
type:infra
type:refactor
type:schema
type:security
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: maximus/simpl-liste#95
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Contexte
Detecte par le Defenseur (npm audit) le 2026-06-30. Vulnerabilite CRITICAL GHSA-w7jw-789q-3m8p ("shell-quote quote() does not escape newlines in object .op values"), range affecte
>=1.1.0 <=1.8.3.Chaine transitive unique :
react-native > react-devtools-core@6.1.5 > shell-quote@1.8.3(dev-only, outil DevTools/Metro, pas de code de prod).react-devtools-coredeclare^1.6.1, compatible avec1.8.4(premiere version corrigee).Travail a faire
package.json->overrides:"react-devtools-core": { "shell-quote": "^1.8.4" }npm installpour regenererpackage-lock.jsonnpm ls shell-quote->>=1.8.4,npm auditne liste plus ce CVEFichiers concernes
package.json(sectionoverrides)package-lock.json(regenere)Surface de test
Aucune (dev-only, DevTools/Metro). Verification :
npm installsans erreur +npx expo startdemarre normalement.Criteres d'acceptation
npm audit --json | jq '.vulnerabilities."shell-quote"'videnpm ls shell-quote>= 1.8.4Complexite estimee
Simple.
Plan global
Fait partie d'un lot de 5 fixes deps (#95-#99) resolus par ajout d'overrides scopes dans le meme bloc
package.json. Voir issue #96 pour le detail du plan combine.