Important
This release includes a fix for a known security vulnerability.
BREAKING Changes
- Reworked
npmdetection and handling.
The behavior whennpm_execpathis present remains unchanged.
Fixed
- Eliminated a potential shell‑injection vulnerability in the
--workspaceargument on Windows (via #1489)
See GHSA-q69g-4hcv-6jg4 - Properly closing output file (via #1484)
Tests
- Added more regression test for shell injections (via #1488)
What's Changed
- chore(deps-dev): bump the jest group across 1 directory with 2 updates by @dependabot[bot] in #1462
- chore(deps): bump knip from 5.85.0 to 6.22.0 in /tools/test-dependencies by @dependabot[bot] in #1483
- chore(deps): bump actions/checkout from 6.0.2 to 7.0.0 by @dependabot[bot] in #1478
- chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in #1452
- chore(deps): bump actions/upload-artifact from 6.0.0 to 7.0.1 by @dependabot[bot] in #1446
- chore(deps): bump actions/download-artifact from 7.0.0 to 8.0.1 by @dependabot[bot] in #1445
- chore(deps): bump softprops/action-gh-release from 2.6.2 to 3.0.1 by @dependabot[bot] in #1477
- fix: properly closing output file by @jkowalleck in #1484
- tests: refactor and extend shell-injection cases by @jkowalleck in #1488
- BC: rework npm-cli detction by @jkowalleck in #1489
Full Changelog: v5.0.0...v6.0.0