[Snyk] Security upgrade shelljs from 0.8.5 to 0.9.0

[MHback]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json
• yarn.lock

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	508

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[gemini-code-assist]

Summary of Changes

Hello @MHback, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This is an automated security fix PR initiated by Snyk to resolve a low-severity ReDoS vulnerability found in the shelljs dependency by upgrading it to a patched version. The changes involve updating the package manifest and the lock file to reflect the new dependency version and its updated tree.

Highlights

• Security Upgrade: This pull request, automatically generated by Snyk, upgrades the shelljs dependency from version 0.8.5 to 0.9.0 (specifically locking to 0.9.2 in yarn.lock) to address a Regular Expression Denial of Service (ReDoS) vulnerability (SNYK-JS-BRACEEXPANSION-9789073).
• Dependency Updates: The upgrade of shelljs has resulted in updates and additions to its transitive dependencies, reflected in the yarn.lock file.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configureGemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This PR, automatically generated by Snyk, upgrades shelljs from ^0.8.5 to ^0.9.0 (which resolves to 0.9.2 in yarn.lock) to address a ReDoS security vulnerability. While the security fix is important, this review highlights that shelljs version 0.9.x introduces significant breaking changes. It is crucial to carefully review these changes and conduct thorough testing of all existing shelljs integrations to prevent regressions. Key areas of concern include modifications to shelljs.exec() default behavior, other API return values, and a new minimum Node.js version requirement.

[gemini-code-assist]

The upgrade of shelljs to ^0.9.0 (which resolves to 0.9.2 in yarn.lock) is intended to fix a security vulnerability. However, shelljs version 0.9.x introduces several breaking changes that could impact your project. It is critical to review these and test all shelljs usages thoroughly.

Key breaking changes to be aware of:

• shelljs.exec(): The silent option now defaults to true. If your code relies on exec() outputting to stdout/stderr by default, you must explicitly pass { silent: false } to retain the old behavior.
• shelljs.error(): This function now returns null if no error occurred (previously, it returned an empty string). Any checks like if (shelljs.error() === "") will need to be updated to if (shelljs.error() === null).
• shelljs.which(): This function now returns null if a command is not found (previously, it returned an empty ShellString object). Logic relying on the old behavior will need adjustment.
• Minimum Node.js Version: shelljs 0.9.x requires Node.js v8 or later. Please ensure your development and deployment environments meet this requirement.
• Internal Refactoring: shelljs has undergone significant internal changes, such as replacing glob with fast-glob and using execa for command execution. While these are internal, they could lead to subtle behavioral differences.

Please verify all shelljs usage in your codebase against these changes and ensure comprehensive testing is performed before merging this PR.

[gemini-code-assist]

This section shows that shelljs is now resolved to version 0.9.2. Note the significant changes in its direct dependencies, such as the introduction of execa and fast-glob, and the removal of glob as a direct dependency of shelljs (it's now via fast-glob's dependencies or other packages). These internal architectural changes, along with the documented breaking changes for shelljs 0.9.x, underscore the importance of thorough testing of any features in your project that rely on shelljs.