Update dependency shelljs to ^0.8.5 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
shelljs	^0.7.7 -> ^0.8.5

GitHub Vulnerability Alerts

GHSA-64g7-mvw6-v9qj

Impact

Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.

Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.

Patches

Patched in shelljs 0.8.5

Workarounds

Recommended action is to upgrade to 0.8.5.

References

https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

For more information

If you have any questions or comments about this advisory:

• Ask at https://github.com/shelljs/shelljs/issues/1058
• Open an issue at https://github.com/shelljs/shelljs/issues/new

CVE-2022-0144

shelljs is vulnerable to Improper Privilege Management

---

Release Notes

shelljs/shelljs (shelljs)

v0.8.5

Compare Source

Full Changelog

This was a small security fix for #​1058.

v0.8.4

Compare Source

Full Changelog

This was a small security fix for #​1058.

v0.8.3

Compare Source

Full Changelog

Small patch release to fix a circular dependency warning in node v14. See #​973.

v0.8.2

Compare Source

Full Changelog

Closed issues:

• Shelljs print stderr to console even if exec-only "silent" is true #​905
• refactor: remove common.state.tempDir #​902
• Can't suppress stdout for echo #​899
• exec() doesn't apply the arguments correctly #​895
• shell.exec('npm pack') painfully slow #​885
• shelljs.exec cannot find app.asar/node_modules/shelljs/src/exec-child.js #​881
• test infra: mocks and skipOnWin conflict #​862
• Support for shell function completion on IDE #​859
• echo command shows options in stdout #​855
• silent does not always work #​851
• Appveyor installs the latest npm, instead of the latest compatible npm #​844
• Force symbolic link (ln -sf) does not overwrite/recreate existing destination #​830
• inconsistent result when trying to echo to a file #​798
• Prevent require()ing executable-only files #​789
• Cannot set property to of [object String] which has only a getter #​752
• which() should check executability before returning a value #​657
• Bad encoding experience #​456
• phpcs very slow #​440
• Error shown when triggering a sigint during shelljs.exec if process.on sigint is defined #​254
• .to\(file\) does not mute STDIO output #​146
• Escaping shell arguments to exec() #​143
• Allow multiple string arguments for exec() #​103
• cp does not recursively copy from readonly location #​98
• Handling permissions errors on file I/O #​64

Merged pull requests:

• Add test case for sed on empty file #​904 (wyardley)
• refactor: don't expose tempdir in common.state #​903 (nfischer)
• chore(ci): fix codecov on travis #​897 (nfischer)
• chore(npm): add ci-or-install script #​896 (nfischer)
• Fix silent exec #​892 (nfischer)
• chore(appveyor): run entire test matrix #​886 (nfischer)
• docs: remove gitter badge #​880 (nfischer)
• grep includes the i flag #​876 (ppsleep)
• Fix(which): match only executable files (#​657) #​874 (termosa)
• chore: rename some tests #​871 (nfischer)
• Fix cp from readonly source #​870 (nfischer)
• chore: bump dev dependencies and add package-lock #​864 (nfischer)
• fix(mocks): fix conflict between mocks and skip #​863 (nfischer)
• chore: output npm version in travis #​850 (nfischer)
• Prevent require-ing bin/shjs #​848 (freitagbr)
• chore(appveyor): do not use latest npm #​847 (nfischer)
• chore: update shelljs-release version #​846 (nfischer)

v0.8.1

Compare Source

Full Changelog

Closed issues:

• High severity vulnerability in shelljs 0.8.1 #​842
• Add test for ls() on a symlink to a directory #​795
• Harden shell.exec by writing the child process in a source file #​782
• shell.exec() doesn't respond correctly to config.fatal = true #​735
• Merge 'exec: internal error' with ShellJSInternalError #​734
• exec returning null from command #​724
• Only Get Stderr from Exec #​371
• Execute child.stdout.on before child.on("exit") #​224

Merged pull requests:

• Workaround codecov bug of miscalculation of coverage (#​795) #​838 (dwi2)
• Update doc comments and regenerate README.md. #​825 (Zearin)
• chore: update contributing guidelines #​817 (nfischer)
• chore(lint): don't allow excess trailing newlines #​816 (nfischer)
• Remove separate "internal error" from exec #​802 (freitagbr)

v0.8.0

Compare Source

Full Changelog

Closed issues:

• Exec failing with internal error when piping large output #​818

Merged pull requests:

• Revert "refactor(exec): remove paramsFile (#​807)" #​819 (nfischer)

v0.7.8

Compare Source

Full Changelog

Closed issues:

• Snyk vulnerability DB reporting command injection vulnerability in ShellJS #​810
• chore: upgrade nyc #​803
• Update CI to use Node v9 #​799
• Link to FAQ wiki section in our issue template #​787
• Is it possible to get a js library(file) for ShellJS #​776
• 48, #​774
• 47 #​773
• Exec function calls JSON.stringify on command #​772
• getting different result from terminal and with shelljs #​769
• test() does not support -w and -x options #​768
• Snyk "high severity" issue #​766
• Snyk "high security #​765
• ShellJS doesn't respect NPM Registry being set outside of it #​761
• Run second shell script #​756
• shelljs seems NOT compatible with nexe under CentOS 6.5 #​754
• Feature request: pushd/popd -q option #​753
• cat doesn't support '-n' option #​750
• shelljs run xcodebuild error #​749
• Add wrappers around fs.statSync and fs.lstatSync #​745
• Improve coverage for exec() #​742
• Improve coverage for head() #​741
• shelljs is no longer used in PDF.js #​737
• ls doesn't follow links to directories #​733
• Add test for ls regular-file.txt #​732
• Clean up common tests #​714
• Cant get encoding buffer to work on exec #​675
• Set up Codecov for the project #​671
• ShellJS: internal error Error: EBUSY: resource busy or locked, lstat 'C:\pagefile.sys' #​514
• Feature request: provide a way to skip option parsing #​778
• Switch to os.homedir() when we move to v4+ #​683
• Drop support for v0.12 #​647
• feature: echo -n #​559
• Don't kill the node process upon unexpected error #​483
• Echo doesn't return value ending in a trailing newline #​476
• Synchronous exec stalls permenantly when there is an error/w the shell #​7

Merged pull requests:

• docs: announce plugin API #​812 (nfischer)
• chore: update CI to Node v9 #​811 (nfischer)
• refactor(exec): remove paramsFile #​807 (nfischer)
• chore: update nyc dependency #​805 (nfischer)
• refactor: harden plugins against unknown options #​804 (nfischer)
• chore(eslint): use words instead of numbers #​797 (nfischer)
• Add note to issue template about FAQ #​794 (freitagbr)
• Remove codeFile parameter #​791 (nfischer)
• Use execFileSync to launch child process #​790 (nfischer)
• refactor(exec): move child process to source file #​786 (nfischer)
• Remove unnecessary shell.error checks from common tests #​785 (freitagbr)
• Add a test for ls for a single file #​784 (freitagbr)
• Wrap fs.statSync and fs.lstatSync #​783 (freitagbr)
• chore: set AVA options #​780 (nfischer)
• chore: clean up refs to unsupported node versions #​779 (nfischer)
• Added -q (quiet) option to push, popd, dirs functions. #​777 (alexreg)
• feat(cat): number output lines (#​750) #​775 (gcca)
• refactor(test): update AVA and refactor tests #​760 (nfischer)
• chore: add skipOnWin and skipOnUnix test helpers #​746 (nfischer)
• test(exec): add tests for coverage #​744 (nfischer)
• test(head): improve coverage #​743 (nfischer)
• Remove PDF.js mention from README.md #​738 (voy)
• Provide an API to pass parameters which resemble options #​792 (nfischer)
• Fix ls not following links to directories by default #​764 (freitagbr)
• Add "encoding" option to exec #​763 (freitagbr)
• Merge dev into master #​731 (freitagbr)
• Deprecate common.getUserHome, advise using os.homedir instead #​725 (freitagbr)
• Echo test mocks #​708 (freitagbr)
• Safely exit by throwing an error #​546 (freitagbr)
• chore(make): depreciate shelljs/make #​431 (ariporad)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.