Skip to content

Bump shell-quote from 1.8.3 to 1.9.0#6027

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/shell-quote-1.8.4
Open

Bump shell-quote from 1.8.3 to 1.9.0#6027
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/shell-quote-1.8.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 10, 2026

Copy link
Copy Markdown
Contributor

Bumps shell-quote from 1.8.3 to 1.9.0.

Changelog

Sourced from shell-quote's changelog.

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511
Commits
  • db09fc7 v1.9.0
  • 7ff5488 [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv)
  • b4bafa2 [actions] Windows + node 5/7: install deps with a modern node
  • 3fb739d [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3...
  • abe0163 [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake
  • 7a76c1a [Fix] quote: escape leading ~ to prevent shell tilde-expansion
  • 75e8497 [actions] update workflows
  • dca6e21 [New] add types
  • 9aa9e8f [Dev Deps] update eslint
  • 9ba368a [Dev Deps] apparently jackspeak is no longer in the graph
  • Additional commits viewable in compare view


Note

Low Risk
Dependency-only lockfile change affecting dev-tool transitive packages; the upgrade includes a published security fix and does not touch app business logic.

Overview
Updates the lockfile so shell-quote resolves to 1.9.0 (from 1.8.3), including resolved URL and integrity hash. The bump is transitive for tooling such as launch-editor and react-devtools-core; there is no direct application source change in this diff.

1.9.0 brings security and quoting fixes in the library (parse linear-time token finalization for GHSA-395f-4hp3-45gv, quote escaping a leading ~, plus bundled TypeScript types). The diff also removes a nested chain-registry entry under @chain-registry/utils, which is typical lockfile housekeeping alongside the version bump.

Reviewed by Cursor Bugbot for commit 3bcd672. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 10, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch 5 times, most recently from f1a5aeb to 06e53fe Compare June 19, 2026 05:31
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch from 06e53fe to 821f653 Compare June 23, 2026 22:56
@dependabot dependabot Bot changed the title Bump shell-quote from 1.8.3 to 1.8.4 Bump shell-quote from 1.8.3 to 1.9.0 Jun 30, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch 6 times, most recently from b2d3ba1 to 80c391a Compare July 3, 2026 21:16
Bumps [shell-quote](https://github.com/ljharb/shell-quote) from 1.8.3 to 1.9.0.
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.9.0)

---
updated-dependencies:
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/shell-quote-1.8.4 branch from 80c391a to 3bcd672 Compare July 3, 2026 23:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants