shell-quote CVE-2026-9277: newline slips past regex
shell-quote 1.8.4 fixes CVE-2026-9277 (CVSS 8.1): a newline in a .op token bypasses escaping because JavaScript's /(.)/g does not match line terminators.
2 articles tagged #npm
shell-quote 1.8.4 fixes CVE-2026-9277 (CVSS 8.1): a newline in a .op token bypasses escaping because JavaScript's /(.)/g does not match line terminators.
Over 160 npm packages were backdoored with valid SLSA Build Level 3 attestations. The trust model for GitHub Actions is broken -- here is what to fix.