chore(deps): update dependency @npmcli/git to 2.0.8 [security] - abandoned

[renovate]

This PR contains the following updates:

Package	Change
@​npmcli/git	2.0.6 -> 2.0.8

GitHub Vulnerability Alerts

GHSA-hxwm-x553-x359

Summary

There exists a command injection vulnerability in npmcli/git versions <2.0.8 which may result in arbitrary shell command execution due to improper argument sanitization when npmcli/git is used to execute Git commands based on user controlled input.

The impact of this issue is possible Arbitrary Command Injection when npmcli/git is run with untrusted (user controlled) Git command arguments.

Impact

Arbitrary Command Injection

Details

npmcli/git prior to release 2.0.8 passed user controlled input as arguments to a shell command without properly sanitizing this input. Passing unsanitized input to a shell can lead to arbitrary command injection. For example passing git+https://github.com/npm/git; echo hello world would trigger the shell execution of echo hello world.

This issue was remediated by no longer running npmcli/git git commands through an intermediate shell.

Patches

This issue has been patched in release 2.0.8

Acknowledgements

This report was reported to us by @​tyage (Ierae Security) through the GitHub Bug Bounty Program.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.