From e40d9b94ab27042925c906799f743c57894d0027 Mon Sep 17 00:00:00 2001
From: Antonis Lilis <antonis.lilis@sentry.io>
Date: Mon, 15 Jun 2026 10:30:27 +0200
Subject: [PATCH] fix(deps): resolve shell-quote to >=1.8.4 to fix CVE command
 injection

Addresses Dependabot alert #547 (critical severity). shell-quote's
quote() did not escape newlines in object .op values, allowing shell
command injection. The package is only a transitive dev/test dependency
(via react-native CLI, detox, npm-run-all2, etc.) and is not shipped
in the published SDK.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 package.json |  3 ++-
 yarn.lock    | 15 ++++-----------
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/package.json b/package.json
index 37150db1a7..68b0b08d10 100644
--- a/package.json
+++ b/package.json
@@ -133,7 +133,8 @@
     "postcss": "^8.5.10",
     "socks": "^2.8.8",
     "@appium/support@npm:7.0.6/uuid": "^13.0.1",
-    "node-simctl@npm:8.1.6/uuid": "^13.0.1"
+    "node-simctl@npm:8.1.6/uuid": "^13.0.1",
+    "shell-quote": "^1.8.4"
   },
   "version": "0.0.0",
   "name": "sentry-react-native",
diff --git a/yarn.lock b/yarn.lock
index cd947f2c17..431126f055 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -30236,17 +30236,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"shell-quote@npm:1.8.3, shell-quote@npm:^1.7.2, shell-quote@npm:^1.8.3":
-  version: 1.8.3
-  resolution: "shell-quote@npm:1.8.3"
-  checksum: 550dd84e677f8915eb013d43689c80bb114860649ec5298eb978f40b8f3d4bc4ccb072b82c094eb3548dc587144bb3965a8676f0d685c1cf4c40b5dc27166242
-  languageName: node
-  linkType: hard
-
-"shell-quote@npm:^1.6.1, shell-quote@npm:^1.7.3, shell-quote@npm:^1.8.1":
-  version: 1.8.1
-  resolution: "shell-quote@npm:1.8.1"
-  checksum: 5f01201f4ef504d4c6a9d0d283fa17075f6770bfbe4c5850b074974c68062f37929ca61700d95ad2ac8822e14e8c4b990ca0e6e9272e64befd74ce5e19f0736b
+"shell-quote@npm:^1.8.4":
+  version: 1.8.4
+  resolution: "shell-quote@npm:1.8.4"
+  checksum: 082dc836baa8ade01144ee3068af487ea45ba570ea6ab13a5eddc11ab16a976b8857b51ef2caf7dc9a1e173ff0aea685b8f78b4f6f5a0a1ef24c7b17c51350e2
   languageName: node
   linkType: hard