Describe the feature request
We currently have the last three versions of Laravel (11x,12x,13x) that are using the 9x branch for Node compat.
The issue is the 9.2.1 has a hard reference to exactly shell-quote 1.8.3 so won't be getting patches.
This leaves the community with either being forced onto Node 22 by using v10 (not a bad thing) or needing to fudge in an overrides into their package.json.
"overrides": {
"shell-quote": "1.8.4"
}
Either solution thats affecting millions of installs worldwide.
So this is just requesting if we can get that 9.2.2 to bump that to be patched.
For ref to the exploit its a bit of doozy in that it didn't escape newlines in the .op field :
GHSA-w7jw-789q-3m8p
Describe the feature request
We currently have the last three versions of Laravel (11x,12x,13x) that are using the 9x branch for Node compat.
The issue is the 9.2.1 has a hard reference to exactly shell-quote 1.8.3 so won't be getting patches.
This leaves the community with either being forced onto Node 22 by using v10 (not a bad thing) or needing to fudge in an overrides into their package.json.
"overrides": {
"shell-quote": "1.8.4"
}
Either solution thats affecting millions of installs worldwide.
So this is just requesting if we can get that 9.2.2 to bump that to be patched.
For ref to the exploit its a bit of doozy in that it didn't escape newlines in the .op field :
GHSA-w7jw-789q-3m8p