Skip to content

Bump shell-quote from 1.8.3 to 1.9.0#6027

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/shell-quote-1.8.4
Open

Bump shell-quote from 1.8.3 to 1.9.0#6027
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/shell-quote-1.8.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor

Bumps shell-quote from 1.8.3 to 1.9.0.

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511
Commits
  • db09fc7 v1.9.0
  • 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
  • b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
  • 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
  • abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
  • 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
  • 75e8497 [actions] update workflows
  • dca6e21 [New] add types
  • 9aa9e8f [Dev Deps] update eslint
  • 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
  • Additional commits viewable in compare view


Note

Low Risk
Dependency-only lockfile change with upstream security and quoting fixes; no application source changes.

Overview
Updates the lockfile so shell-quote resolves to 1.9.0 (from 1.8.3). The package is pulled in transitively (e.g. via launch-editor and react-devtools-core), not as a direct application dependency.

1.9.0 brings a security fix for parse (linear-time token finalization, GHSA-395f-4hp3-45gv), safer quote behavior for leading ~, and bundled TypeScript types. The diff also trims a redundant nested chain-registry lockfile entry under @chain-registry/utils, consistent with lockfile normalization from the same install.

Reviewed by Cursor Bugbot for commit c185e17. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch 5 times, most recently from f1a5aeb to 06e53fe Compare June 19, 2026 05:31
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch from 06e53fe to 821f653 Compare June 23, 2026 22:56
@dependabot dependabot Bot changed the title Bump shell-quote from 1.8.3 to 1.8.4 Bump shell-quote from 1.8.3 to 1.9.0 Jun 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch 3 times, most recently from 0fa1888 to 3d6f94a Compare June 30, 2026 03:09
Bumps [shell-quote](https://github.com/ljharb/shell-quote) from 1.8.3 to 1.9.0.
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.9.0)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch from 3d6f94a to c185e17 Compare June 30, 2026 03:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants