Skip to content

chore(deps-dev): bump @cyclonedx/cyclonedx-npm from 4.2.1 to 6.0.0#32

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/cyclonedx/cyclonedx-npm-6.0.0
Open

chore(deps-dev): bump @cyclonedx/cyclonedx-npm from 4.2.1 to 6.0.0#32
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/cyclonedx/cyclonedx-npm-6.0.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown
Contributor

Bumps @cyclonedx/cyclonedx-npm from 4.2.1 to 6.0.0.

Release notes

Sourced from @​cyclonedx/cyclonedx-npm's releases.

6.0.0

[!IMPORTANT]
This release includes a fix for a known security vulnerability.

BREAKING Changes

  • Reworked npm detection and handling.
    The behavior when npm_execpath is present remains unchanged.

Fixed

  • Eliminated a potential shell‑injection vulnerability in the --workspace argument on Windows (via #1489)
    See GHSA-q69g-4hcv-6jg4
  • Properly closing output file (via #1484)

Tests

  • Added more regression test for shell injections (via #1488)

#1484: CycloneDX/cyclonedx-node-npm#1484 #1488: CycloneDX/cyclonedx-node-npm#1488 #1489: CycloneDX/cyclonedx-node-npm#1489


What's Changed

Full Changelog: CycloneDX/cyclonedx-node-npm@v5.0.0...v6.0.0

5.0.0

[!IMPORTANT]
This release includes a fix for a known security vulnerability.

BREAKING Changes

  • Reworked npm handling – npm is now executed explicitly rather than through a subshell.
    The behavior when npm_execpath is present remains unchanged.

Fixed

  • Eliminated a potential shell‑injection vulnerability in the --workspace argument (via #1476)
    See GHSA-v75r-vx73-82pj

#1476: CycloneDX/cyclonedx-node-npm#1476

... (truncated)

Changelog

Sourced from @​cyclonedx/cyclonedx-npm's changelog.

6.0.0 - 2026-07-07

  • BREAKING Changes
    • Reworked npm detection and handling.
      The behavior when npm_execpath is present remains unchanged.
  • Fixed
    • Eliminated a potential shell‑injection vulnerability in the --workspace argument on Windows (via #1489)
      See GHSA-q69g-4hcv-6jg4
    • Properly closing output file (via #1484)
  • Tests
    • Added more regression test for shell injections (via #1488)

#1484: CycloneDX/cyclonedx-node-npm#1484 #1488: CycloneDX/cyclonedx-node-npm#1488 #1489: CycloneDX/cyclonedx-node-npm#1489

5.0.0 - 2026-06-16

  • BREAKING Changes
    • Reworked npm handling - npm is now executed explicitly rather than through a subshell.
      The behavior when npm_execpath is present remains unchanged.
  • Fixed
    • Eliminated a potential shell‑injection vulnerability in the --workspace argument (via #1476)
      See GHSA-v75r-vx73-82pj
  • Tests
    • Added regression test for shell injections (via #1476)

#1476: CycloneDX/cyclonedx-node-npm#1476

Commits

@dependabot @github

dependabot Bot commented on behalf of github Jul 12, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Bumps [@cyclonedx/cyclonedx-npm](https://github.com/CycloneDX/cyclonedx-node-npm) from 4.2.1 to 6.0.0.
- [Release notes](https://github.com/CycloneDX/cyclonedx-node-npm/releases)
- [Changelog](https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/HISTORY.md)
- [Commits](CycloneDX/cyclonedx-node-npm@v4.2.1...v6.0.0)

---
updated-dependencies:
- dependency-name: "@cyclonedx/cyclonedx-npm"
  dependency-version: 6.0.0
  dependency-type: direct:development
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/cyclonedx/cyclonedx-npm-6.0.0 branch from c92042d to 2fdb978 Compare July 15, 2026 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants