Skip to content

6.0.0

Latest

Choose a tag to compare

@github-actions github-actions released this 07 Jul 12:06

Important

This release includes a fix for a known security vulnerability.

BREAKING Changes

  • Reworked npm detection and handling.
    The behavior when npm_execpath is present remains unchanged.

Fixed

  • Eliminated a potential shell‑injection vulnerability in the --workspace argument on Windows (via #1489)
    See GHSA-q69g-4hcv-6jg4
  • Properly closing output file (via #1484)

Tests

  • Added more regression test for shell injections (via #1488)

What's Changed

  • chore(deps-dev): bump the jest group across 1 directory with 2 updates by @dependabot[bot] in #1462
  • chore(deps): bump knip from 5.85.0 to 6.22.0 in /tools/test-dependencies by @dependabot[bot] in #1483
  • chore(deps): bump actions/checkout from 6.0.2 to 7.0.0 by @dependabot[bot] in #1478
  • chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in #1452
  • chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.1 by @dependabot[bot] in #1446
  • chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 by @dependabot[bot] in #1445
  • chore(deps): bump softprops/action-gh-release from 2.6.2 to 3.0.1 by @dependabot[bot] in #1477
  • fix: properly closing output file by @jkowalleck in #1484
  • tests: refactor and extend shell-injection cases by @jkowalleck in #1488
  • BC: rework npm-cli detction by @jkowalleck in #1489

Full Changelog: v5.0.0...v6.0.0