Skip to content

chore(deps): bump simple-git from 3.32.3 to 3.36.0#7932

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/simple-git-3.36.0
Open

chore(deps): bump simple-git from 3.32.3 to 3.36.0#7932
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/simple-git-3.36.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 8, 2026
edited
Loading

Bumps simple-git from 3.32.3 to 3.36.0.

Release notes

Sourced from simple-git's releases.

simple-git@3.36.0

Minor Changes

  • 89a2294: Extend known exploitable configuration keys and per-task environment variables.

    Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

    Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

  • 1ad57e8: Remove conflicting node:buffer import
  • Updated dependencies [89a2294]
  • Updated dependencies [675570a]
    • @​simple-git/argv-parser@​1.1.0
    • @​simple-git/args-pathspec@​1.0.3

simple-git@3.35.2

Patch Changes

  • 0cf9d8c: Improvements for mono-repo publishing pipeline
  • Updated dependencies [0cf9d8c]
    • @​simple-git/args-pathspec@​1.0.2
    • @​simple-git/argv-parser@​1.0.3

simple-git@3.35.1

Patch Changes

  • 0de400e: Update monorepo version handling during publish
  • Updated dependencies [0de400e]
    • @​simple-git/argv-parser@​1.0.2

simple-git@3.33.0

Minor Changes

  • a263635: Use pathspec wrappers for remote and local paths when running either git.clone or git.mirror to avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.

Patch Changes

  • e253a0d: Enhanced git -c checks in unsafe plugin.

    Thanks to @​JohannesLks for identifying the issue

Changelog

Sourced from simple-git's changelog.

3.36.0

Minor Changes

  • 89a2294: Extend known exploitable configuration keys and per-task environment variables.

    Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

    Thanks to @​zebbern for identifying the need to block core.fsmonitor. Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

  • 1ad57e8: Remove conflicting node:buffer import
  • Updated dependencies [89a2294]
  • Updated dependencies [675570a]
    • @​simple-git/argv-parser@​1.1.0
    • @​simple-git/args-pathspec@​1.0.3

3.35.2

Patch Changes

  • 0cf9d8c: Improvements for mono-repo publishing pipeline
  • Updated dependencies [0cf9d8c]
    • @​simple-git/args-pathspec@​1.0.2
    • @​simple-git/argv-parser@​1.0.3

3.35.1

Patch Changes

  • 0de400e: Update monorepo version handling during publish
  • Updated dependencies [0de400e]
    • @​simple-git/argv-parser@​1.0.2

3.35.0

Minor Changes

  • 3d8708b: Updating publish config

Patch Changes

  • Updated dependencies [3d8708b]
    • @​simple-git/args-pathspec@​1.0.1
    • @​simple-git/argv-parser@​1.0.1

3.34.0

... (truncated)

Commits
  • 7dc1a53 Version Packages
  • 76f5376 Merge pull request #1061 from Vinzent03/fix/buffer-import
  • 89a2294 Environment Parsing (#1156)
  • 1b91b76 fix: remove explicit node:buffer import
  • e390685 Version Packages
  • 3c9e4b8 Pin version of @​simple-git/args-pathspec
  • 94ee21f Export pathspec types through simple-git for backward compatibility
  • 6d7cb51 Version Packages
  • 0de400e Switch to semver from workspace revisions
  • 2264722 Version Packages
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels May 8, 2026
@monkeytypegeorge monkeytypegeorge added the backend Server stuff label May 8, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/simple-git-3.36.0 branch from c537db4 to 7c21f27 Compare May 12, 2026 12:03
@dependabot
chore(deps): bump simple-git from 3.32.3 to 3.36.0
6ca483a 
Bumps [simple-git](https://github.com/steveukx/git-js/tree/HEAD/simple-git) from 3.32.3 to 3.36.0.
- [Release notes](https://github.com/steveukx/git-js/releases)
- [Changelog](https://github.com/steveukx/git-js/blob/main/simple-git/CHANGELOG.md)
- [Commits](https://github.com/steveukx/git-js/commits/simple-git@3.36.0/simple-git)

---
updated-dependencies:
- dependency-name: simple-git
  dependency-version: 3.36.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/simple-git-3.36.0 branch from 7c21f27 to 6ca483a Compare May 13, 2026 08:18
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 13, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​mjml@​4.7.41001005785100
Added@​types/​damerau-levenshtein@​1.0.0951006179100
Added@​types/​subset-font@​1.4.3671007382100
Added@​types/​uuid@​10.0.01001007081100
Added@​types/​readline-sync@​1.4.81001007080100
Added@​tanstack/​solid-hotkeys-devtools@​0.6.6701009999100
Added@​tanstack/​solid-query-devtools@​5.100.38310070100100
Added@​types/​throttle-debounce@​5.0.21001007080100
Added@​tanstack/​solid-db@​0.2.197710071100100
Added@​types/​swagger-stats@​0.95.11851007176100
Added@​types/​express@​5.0.31001007185100
Added@​types/​object-hash@​3.0.61001007180100
Added@​types/​cron@​1.7.31001007180100
Added@​types/​supertest@​6.0.31001007181100
Added@​types/​ua-parser-js@​0.7.361001007180100
Added@​types/​canvas-confetti@​1.4.31001007280100
Added@​types/​bcrypt@​5.0.21001007281100
Added@​sentry/​browser@​10.44.0721009196100
Added@​tanstack/​solid-table@​8.21.3921007398100
Added@​types/​howler@​2.2.71001007380100
Added@​tanstack/​query-db-collection@​1.0.361001007397100
Added@​types/​mustache@​4.2.21001007481100
Added@​types/​chartjs-plugin-trendline@​1.0.1881007476100
Added@​tanstack/​eslint-plugin-query@​5.100.310010075100100
Addedballoon-css@​1.2.09710010075100
Added@​storybook/​addon-vitest@​10.2.169910076100100
Added@​types/​ioredis@​4.28.101001007680100
Added@​types/​nodemailer@​6.4.151001007692100
Added@​redocly/​cli@​2.24.177100100100100
Added@​tanstack/​solid-devtools@​0.8.2771008596100
Added@​tanstack/​solid-hotkeys@​0.9.17710010099100
Added@​storybook/​addon-a11y@​10.2.1610010078100100
Added@​oxlint/​plugins@​1.43.0781009986100
See 28 more rows in the dashboard

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 13, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Basic FTP has Path Traversal Vulnerability in its downloadToDir() method in npm basic-ftp

CVE: GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method (CRITICAL)

Affected versions: < 5.2.0

Patched version: 5.2.0

From: pnpm-lock.yamlnpm/basic-ftp@5.0.5

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backend Server stuff dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@monkeytypegeorge