Shell-quote, a valuable npm package for parsing and quoting shell commands, has seen a recent update from version 1.7.1 to 1.7.2. Both versions maintain the core functionality of accurately quoting and parsing shell commands, a crucial feature for developers building tools that interact with the command line. The license remains MIT, ensuring flexibility for various project types.
While the core features remain the same, version 1.7.2 introduces some refinements. Examining the provided data, one notable difference is the "unpackedSize" within the "dist" object. Version 1.7.2 shows an unpacked size of 21011, subtly larger than the 20782 reported for version 1.7.1. This might reflect minor code improvements, bug fixes, or updated documentation, even the inclusion of new tests which contribute to the growing size, ultimately leading to more stable and reliable parsing and quoting operations. Furthermore a later realease date in version 1.7.2 suggests these fixes and improvements, developers should migrate as it is a more polished version. The small change is indicative of a patch release which often provide important bugfixes or security improvements, so developers should consider the newest version when using the library.
All the vulnerabilities related to the version 1.7.2 of the package
Improper Neutralization of Special Elements used in a Command in Shell-quote
The shell-quote package before 1.7.3 for Node.js allows command injection. An attacker can inject unescaped shell metacharacters through a regex designed to support Windows drive letters. If the output of this package is passed to a real shell as a quoted argument to a command with exec(), an attacker can inject arbitrary commands. This is because the Windows drive letter regex character class is [A-z] instead of the correct [A-Za-z]. Several shell metacharacters exist in the space between capital letter Z and lower case letter a, such as the backtick character.
