fix(deps): update dependency zx to v8.8.5 [security] #552
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
added
changesets-ok
Contributor
|
Skipped: This PR was opened by one of your excluded authors: ( |
✅ Deploy Preview for cedarjs canceled.
|
Contributor
Author
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. |
Tobbe
added a commit
that referenced
this pull request
Nov 25, 2025
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [zx](https://google.github.io/zx/) ([source](https://redirect.github.com/google/zx)) | [`8.7.1` -> `8.8.5`](https://renovatebot.com/diffs/npm/zx/8.7.1/8.8.5) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-13437](https://nvd.nist.gov/vuln/detail/CVE-2025-13437) When zx is invoked with --prefer-local=<path>, the CLI creates a symlink named ./node_modules pointing to <path>/node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external <path>/node_modules outside the current working directory. --- ### Release Notes <details> <summary>google/zx (zx)</summary> ### [`v8.8.5`](https://redirect.github.com/google/zx/releases/tag/8.8.5): — Temporary Reservoir [Compare Source](https://redirect.github.com/google/zx/compare/8.8.4...8.8.5) This release fixes the issue, when zx flushes external `node_modules` on linking [#​1348](https://redirect.github.com/google/zx/issues/1348) [#​1349](https://redirect.github.com/google/zx/issues/1349) [#​1355](https://redirect.github.com/google/zx/issues/1355) Also [`[email protected]`](https://redirect.github.com/sindresorhus/globby/releases/tag/v15.0.0) arrives here. ### [`v8.8.4`](https://redirect.github.com/google/zx/releases/tag/8.8.4): — Flange Coupling [Compare Source](https://redirect.github.com/google/zx/compare/8.8.3...8.8.4) It's time. This release updates zx internals to make [the `ps` API](https://google.github.io/zx/api#ps) and related methods `ProcessPromise.kill()`, `kill()` work on Windows systems without [`wmic`](https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmic). [#​1344](https://redirect.github.com/google/zx/pull/1344) [webpod/ps#15](https://redirect.github.com/webpod/ps/pull/15) > 1. WMIC will be missing in Windows 11 25H2 (kernel >= 26000) > 2. The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025. <https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration> ### [`v8.8.3`](https://redirect.github.com/google/zx/releases/tag/8.8.3): — Sealing Gasket [Compare Source](https://redirect.github.com/google/zx/compare/8.8.2...8.8.3) Continues [#​1339](https://redirect.github.com/google/zx/pull/1339) to prevent injections via `Proxy` input or custom `toString()` manipulations. ### [`v8.8.2`](https://redirect.github.com/google/zx/releases/tag/8.8.2): — Leaking Valve [Compare Source](https://redirect.github.com/google/zx/compare/8.8.1...8.8.2) Fixes potential cmd injection via `kill()` method for Windows platform. [#​1337](https://redirect.github.com/google/zx/issues/1337) [#​1339](https://redirect.github.com/google/zx/pull/1339). Affects the versions range `8.7.1...8.8.1`. ### [`v8.8.1`](https://redirect.github.com/google/zx/releases/tag/8.8.1): — Turbo Flush [Compare Source](https://redirect.github.com/google/zx/compare/8.8.0...8.8.1) We keep improving the projects internal infra to bring more stability, safety and performance for artifacts. ##### Featfixes - Applied flags filtration for CLI-driven deps install [#​1308](https://redirect.github.com/google/zx/pull/1308) - Added `kill()` event logging [#​1312](https://redirect.github.com/google/zx/pull/1312) - Set `SIGTERM` as `kill()` fallback signal [#​1313](https://redirect.github.com/google/zx/pull/1313) - Allowed `stdio()` arg be an array [#​1311](https://redirect.github.com/google/zx/pull/1311) ```ts const p = $({halt: true})`cmd` p.stdio([stream, 'ignore', 'pipe']) ``` ##### Enhancements - Added check for **zx\@​lite** pkg contents [#​1317](https://redirect.github.com/google/zx/pull/1317) [#​1316](https://redirect.github.com/google/zx/issues/1316) - Simplified `ProcessPromise[asyncIterator]` inners [#​1307](https://redirect.github.com/google/zx/pull/1307) - Updated deps: chalk 5.6.0, fs-extra 11.3.1, yaml 2.8.1 [#​1309](https://redirect.github.com/google/zx/pull/1309) [#​1323](https://redirect.github.com/google/zx/pull/1323) [#​1326](https://redirect.github.com/google/zx/pull/1326) - Added TS\@​next to the test matrix [#​1310](https://redirect.github.com/google/zx/pull/1310) - Optimized internal `shell` setters [#​1314](https://redirect.github.com/google/zx/pull/1314) - Refactored build-publish pipelines and scripts [#​1319](https://redirect.github.com/google/zx/pull/1319) [#​1320](https://redirect.github.com/google/zx/pull/1320) [#​1321](https://redirect.github.com/google/zx/pull/1321) [#​1322](https://redirect.github.com/google/zx/pull/1322) [#​1324](https://redirect.github.com/google/zx/pull/1324) [#​1325](https://redirect.github.com/google/zx/pull/1325) [#​1327](https://redirect.github.com/google/zx/pull/1327) ### [`v8.8.0`](https://redirect.github.com/google/zx/releases/tag/8.8.0): — Pressure Tested [Compare Source](https://redirect.github.com/google/zx/compare/8.7.2...8.8.0) This release enhances the coherence between the **ProcessPromise** and the **Streams API**, eliminating the need for certain script-level workarounds. ##### ✨ New Features ##### `unpipe()` — Selectively stop piping You can now call `.unpipe()` to stop data transfer from a source to a destination without closing any of the pair. [#​1302](https://redirect.github.com/google/zx/pull/1302) ```ts const p1 = $`echo foo && sleep 0.1 && echo bar && sleep 0.1 && echo baz && sleep 0.1 && echo qux` const p2 = $`echo 1 && sleep 0.15 && echo 2 && sleep 0.1 && echo 3` const p3 = $`cat` p1.pipe(p3) p2.pipe(p3) setTimeout(() => p1.unpipe(p3), 150) const { stdout } = await p3 // 'foo\n1\nbar\n2\n3\n' ``` ##### Many-to-one piping Multiple sources can now stream into a single destination. All sources complete before the destination closes. [#​1300](https://redirect.github.com/google/zx/pull/1300) ```ts const $h = $({ halt: true }) const p1 = $`echo foo` const p2 = $h`echo a && sleep 0.1 && echo c && sleep 0.2 && echo e` const p3 = $h`sleep 0.05 && echo b && sleep 0.1 && echo d` const p4 = $`sleep 0.4 && echo bar` const p5 = $h`cat` await p1 p1.pipe(p5) p2.pipe(p5) p3.pipe(p5) p4.pipe(p5) const { stdout } = await p5.run() // 'foo\na\nb\nc\nd\ne\nbar\n' ``` ##### Piping from rejected processes Processes that exit with errors can now still pipe their output. The internal recorder retains their stream, status, and exit code. [#​1296](https://redirect.github.com/google/zx/pull/1296) ```ts const p1 = $({ nothrow: true })`echo foo && exit 1` await p1 const p2 = p1.pipe($({ nothrow: true })`cat`) await p2 p1.output.toString() // 'foo\n' p1.output.ok // false p1.output.exitCode // 1 p2.output.toString() // 'foo\n' p2.output.ok // false p2.output.exitCode // 1 ``` ##### Components versions Since zx bundles third-party libraries without their package.jsons, their versions weren’t previously visible. You can now access them via the `versions` static map — including zx itself. [#​1298](https://redirect.github.com/google/zx/pull/1298) [#​1295](https://redirect.github.com/google/zx/pull/1295) ```ts import { versions } from 'zx' versions.zx // 8.7.2 versions.chalk // 5.4.1 ``` ### [`v8.7.2`](https://redirect.github.com/google/zx/releases/tag/8.7.2): — Copper Crafter [Compare Source](https://redirect.github.com/google/zx/compare/8.7.1...8.7.2) Stability and customizability improvements - Handle `nothrow` option on `ProcessPromise` init stage [#​1288](https://redirect.github.com/google/zx/pull/1288) ```ts const o = await $({ nothrow: true })`\033` o.ok // false o.cause // Error ``` - Handle `_snapshot.killSignal` value on `kill()` [#​1287](https://redirect.github.com/google/zx/pull/1287) ```ts const p = $({killSignal: 'SIGKILL'})`sleep 10` await p.kill() p.signal // 'SIGKILL' ``` - Introduced `Fail` class [#​1285](https://redirect.github.com/google/zx/pull/1285) ```ts import { Fail } from 'zx' Fail.EXIT_CODES['2'] = 'Custom error message' Fail.formatErrorMessage = (err: Error, from: string): string => `${err.message} (${from})` ``` - Expose `$` as type [#​1283](https://redirect.github.com/google/zx/pull/1283) ```ts import type { $, Options } from 'zx' const custom$: $ = (pieces: TemplateStringsArray | Partial<Options>, ...args: any[]) => { // ... custom implementation } ``` - Internal tweak ups [#​1276](https://redirect.github.com/google/zx/pull/1276) [#​1277](https://redirect.github.com/google/zx/pull/1277) [#​1278](https://redirect.github.com/google/zx/pull/1278) [#​1279](https://redirect.github.com/google/zx/pull/1279) [#​1280](https://redirect.github.com/google/zx/pull/1280) [#​1281](https://redirect.github.com/google/zx/pull/1281) [#​1282](https://redirect.github.com/google/zx/pull/1282) [#​1286](https://redirect.github.com/google/zx/pull/1286) [#​1289](https://redirect.github.com/google/zx/pull/1289) - Described the zx architecture basics. This section helps to better understand the zx concepts and internal logic, and will be useful for those who want to become a project contributor, make tools based on it, or create something similar from scratch. [#​1290](https://redirect.github.com/google/zx/pull/1290) [#​1291](https://redirect.github.com/google/zx/pull/1291) [#​1292](https://redirect.github.com/google/zx/pull/1292) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/cedarjs/cedar). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNi4xIiwidXBkYXRlZEluVmVyIjoiNDIuMTYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiY2hhbmdlc2V0cy1vayIsInJlbGVhc2U6ZGVwZW5kZW5jeSJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Tobbe Lundberg <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.7.1->8.8.5GitHub Vulnerability Alerts
CVE-2025-13437
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.
Release Notes
google/zx (zx)
v8.8.5: — Temporary ReservoirCompare Source
This release fixes the issue, when zx flushes external
node_moduleson linking #1348 #1349 #1355Also
[email protected]arrives here.v8.8.4: — Flange CouplingCompare Source
It's time. This release updates zx internals to make the
psAPI and related methodsProcessPromise.kill(),kill()work on Windows systems withoutwmic.#1344 webpod/ps#15
https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration
v8.8.3: — Sealing GasketCompare Source
Continues #1339 to prevent injections via
Proxyinput or customtoString()manipulations.v8.8.2: — Leaking ValveCompare Source
Fixes potential cmd injection via
kill()method for Windows platform. #1337 #1339. Affects the versions range8.7.1...8.8.1.v8.8.1: — Turbo FlushCompare Source
We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.
Featfixes
kill()event logging #1312SIGTERMaskill()fallback signal #1313stdio()arg be an array #1311Enhancements
ProcessPromise[asyncIterator]inners #1307shellsetters #1314v8.8.0: — Pressure TestedCompare Source
This release enhances the coherence between the ProcessPromise and the Streams API, eliminating the need for certain script-level workarounds.
✨ New Features
unpipe()— Selectively stop pipingYou can now call
.unpipe()to stop data transfer from a source to a destination without closing any of the pair. #1302Many-to-one piping
Multiple sources can now stream into a single destination. All sources complete before the destination closes. #1300
Piping from rejected processes
Processes that exit with errors can now still pipe their output. The internal recorder retains their stream, status, and exit code. #1296
Components versions
Since zx bundles third-party libraries without their package.jsons, their versions weren’t previously visible. You can now access them via the
versionsstatic map — including zx itself. #1298 #1295v8.7.2: — Copper CrafterCompare Source
Stability and customizability improvements
nothrowoption onProcessPromiseinit stage #1288_snapshot.killSignalvalue onkill()#1287Failclass #1285$as type #1283Internal tweak ups #1276 #1277 #1278 #1279 #1280 #1281 #1282 #1286 #1289
Described the zx architecture basics. This section helps to better understand the zx concepts and internal logic, and will be useful for those who want to become a project contributor, make tools based on it, or create something similar from scratch. #1290 #1291 #1292
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.