Skip to content

Override shell-quote to ^1.8.4#27554

Open
frankmueller-msft wants to merge 1 commit into
mainfrom
fix/cg-shell-quote
Open

Override shell-quote to ^1.8.4#27554
frankmueller-msft wants to merge 1 commit into
mainfrom
fix/cg-shell-quote

Conversation

@frankmueller-msft

@frankmueller-msft frankmueller-msft commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Adds pnpm overrides across all 11 workspace roots to bump shell-quote from 1.8.3 → 1.8.4, resolving CG alert 14301083.

Why overrides are needed in every workspace

concurrently@9.2.1 declares an exact dependency on shell-quote: 1.8.3 (no caret/tilde). Without an override, pnpm install will always resolve to the vulnerable version. Since concurrently is a transitive dependency in all 11 workspaces, the override is required everywhere.

Changes

  • Added shell-quote: ^1.8.4 override to all workspace pnpm-workspace.yaml files
  • Updated all pnpm-lock.yaml files (1.8.3 → 1.8.4)

Copilot AI review requested due to automatic review settings June 17, 2026 03:24
@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Hi! Thank you for opening this PR. Want me to review it?

Based on the diff (164 lines, 22 files), I've queued these reviewers:

  • Correctness — logic errors, race conditions, lifecycle issues
  • Security — vulnerabilities, secret exposure, injection
  • API Compatibility — breaking changes, release tags, type design
  • Performance — algorithmic regressions, memory leaks
  • Testing — coverage gaps, hollow tests

How this works

  • Adjust the reviewer set by ticking/unticking boxes above. Reviewer toggles alone don't trigger anything.

  • Tick Start review below to dispatch the review fleet.

  • After review finishes, tick Start review again to request another run — it auto-resets after each dispatch.

  • This comment updates as new commits land; your reviewer selections are preserved.

  • Start review

Copilot AI reviewed Jun 17, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 11 out of 22 changed files in this pull request and generated no comments.

Files not reviewed (11)
  • build-tools/pnpm-lock.yaml: Generated file
  • common/build/eslint-config-fluid/pnpm-lock.yaml: Generated file
  • common/lib/common-utils/pnpm-lock.yaml: Generated file
  • common/lib/protocol-definitions/pnpm-lock.yaml: Generated file
  • pnpm-lock.yaml: Generated file
  • server/gitrest/pnpm-lock.yaml: Generated file
  • server/historian/pnpm-lock.yaml: Generated file
  • server/routerlicious/pnpm-lock.yaml: Generated file
  • tools/api-markdown-documenter/pnpm-lock.yaml: Generated file
  • tools/benchmark/pnpm-lock.yaml: Generated file
  • website/pnpm-lock.yaml: Generated file

@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Fleet Review — Clean

No issues found across the reviewer fleet for this run.

View run

@frankmueller-msft frankmueller-msft enabled auto-merge (squash) June 17, 2026 16:57
alexvy86
alexvy86 reviewed Jun 17, 2026
View reviewed changes

@alexvy86 alexvy86 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see some inconsistencies (not all lockfiles list the override) but that might be moot because now that the new patch version is updated in the lockfiles, it's very probable the overrides in all the pnpm-workspace.yaml files are now unnecessary. I'd be a bit surprised if something pins its shell-quote dep specifically to 1.8.3 instead of a range that will still be happy with 1.8.4. I'd prefer to keep the list of overrides clean, with only the ones that we must keep so the lockfile doesn't revert to a bad version.

@frankmueller-msft
Override shell-quote to ^1.8.4
f69fb54 
concurrently@9.2.1 pins shell-quote to exact 1.8.3, so a pnpm override
is required in every workspace to pick up the patched 1.8.4 release.

Affected workspaces:
- root (client release group)
- build-tools
- common/build/eslint-config-fluid
- common/lib/common-utils
- common/lib/protocol-definitions
- server/gitrest
- server/historian
- server/routerlicious
- tools/api-markdown-documenter
- tools/benchmark
- website

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@frankmueller-msft

frankmueller-msft commented Jun 17, 2026

Copy link
Copy Markdown
Contributor Author

Good call — I verified that concurrently@9.2.1 declares an exact dependency on shell-quote: "1.8.3" (no caret/tilde). Without the override, pnpm install will always resolve to the vulnerable version. Since concurrently is present in all 11 workspaces, the override is unfortunately required everywhere.

I've updated the comments in each pnpm-workspace.yaml to make this clear, and added a section to the PR description explaining it.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

🔗 No broken links found! ✅

Your attention to detail is admirable.

linkcheck output

1: starting server using command "npm run serve -- --no-open"
and when url "[ 'http://127.0.0.1:3000' ]" is responding with HTTP status code 200
running tests using command "npm run check-links"


> fluid-framework-website@0.0.0 serve
> docusaurus serve --no-open

[SUCCESS] Serving "build" directory at: http://localhost:3000/

> fluid-framework-website@0.0.0 check-links
> linkcheck http://localhost:3000 --skip-file skipped-urls.txt

Crawling...

Stats:
  290922 links
    1934 destination URLs
    2184 URLs ignored
       0 warnings
       0 errors

@alexvy86

alexvy86 commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

concurrently@9.2.1 declares an exact dependency on shell-quote: "1.8.3"

Ah, unfortunately true. Then my concern about the lockfiles is still valid, it seems like maybe the changes in some lockfiles were just pattern-matched and applied without actually running pnpm install because they don't list shell-quote in their overrides section. The one for build-tools doesn't have it, for example (I didn't look at the rest). So I'd suggest ensuring that we've actually run pnpm install in all workspaces and the lockfiles are fully in sync with what the pnpm-workspace files say.

@github-actions

github-actions Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Bundle size comparison

Base commit: 16a25814cdc6766421ef33cf9214348fefcfcce3
Head commit: f69fb545fe8246ea4d28631c6ab1616597c2a7a9

Pending — Build - client packages is running. Results will appear here when the build completes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexvy86 alexvy86 alexvy86 left review comments

Copilot code review Copilot Copilot left review comments

@Abe27342 Abe27342 Awaiting requested review from Abe27342

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@frankmueller-msft @alexvy86