@cyclonedx/cyclonedx-npm 5.0.0
on Node.js NPM

5 hours ago

Important

This release includes a fix for a known security vulnerability.

BREAKING Changes

Reworked npm handling - npm is now executed explicitly rather than through a subshell.
The behavior when npm_execpath is present remains unchanged.

Fixed

Eliminated a potential shell‑injection vulnerability in the --workspace argument (via #1476)
See https://github.com/CycloneDX/cyclonedx-node-npm/security/advisories/GHSA-v75r-vx73-82pj

What's Changed

chore(deps-dev): bump jest from 30.2.0 to 30.3.0 in the jest group across 1 directory by @dependabot[bot] in #1430
chore(ci): fix dogfooding tests by @jkowalleck in #1443
Pin GitHub Actions to immutable SHAs while preserving tag-based update flow by @Copilot in #1442
chore(ci): node26 by @jkowalleck in #1461
fix: eliminate possible shell-injection in --workspace argument by @jkowalleck in #1476

New Contributors

@Copilot made their first contribution in #1442

Full Changelog: v4.2.1...v5.0.0

Check out latest releases or
releases around @cyclonedx/cyclonedx-npm 5.0.0

Don't miss a new cyclonedx-npm release

NewReleases is sending notifications on new releases.

Get notifications