Skip to content

fix(deps): update dependency renovate to v42 [security]#47

Open
github-actions[bot] wants to merge 1 commit intomainfrom
renovate/npm-renovate-vulnerability
Open

fix(deps): update dependency renovate to v42 [security]#47
github-actions[bot] wants to merge 1 commit intomainfrom
renovate/npm-renovate-vulnerability

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Feb 3, 2026

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
renovate (source) ^41.46.5^42.0.0 age confidence

Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious distributionUrl

GHSA-pfq2-hh62-7m96

More information

Details

Summary

Renovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious distributionUrl in gradle/wrapper/gradle-wrapper.properties can lead to command execution in the Renovate runtime.

Details

When Renovate handles Gradle Wrapper artifacts, it may run a wrapper update command such as:

  • ./gradlew :wrapper --gradle-distribution-url <value>

In the observed behavior, Renovate executes this via a shell (e.g., /bin/sh -c ...).
If distributionUrl contains shell command substitution syntax like $(...), the shell evaluates it before Gradle validates/parses the URL.

After that, Gradle attempts to parse the URL as a URI and fails with URISyntaxException, but the shell substitution has already executed.

This is reproducible even when allowScripts is disabled (default is OFF), because this execution happens as part of Gradle Wrapper artifact handling rather than “repository install scripts”.

Prerequisites / attack conditions:

  • The attacker must be able to get a malicious gradle-wrapper.properties into a repository that Renovate scans (e.g., direct write access, or a maintainer merges an attacker’s change/PR).
  • Renovate must be configured to process Gradle Wrapper updates/artifacts for that repository (default behavior for the Gradle Wrapper manager).
PoC
  1. Create a repository with a Gradle Wrapper (gradlew, gradlew.bat, gradle/wrapper/gradle-wrapper.jar, and gradle/wrapper/gradle-wrapper.properties).
  2. Set distributionUrl in gradle-wrapper.properties to include $(...).
  3. Run Renovate against the repository.
  4. Observe that a file is created during Renovate’s wrapper update step before Gradle fails with URISyntaxException.

A screen recording is attached showing end-to-end reproduction. In the demo, the payload creates /tmp/passwd_dump containing /etc/passwd, demonstrating that file read/exfiltration is possible within the Renovate execution context.

Impact

This allows arbitrary command execution in the Renovate runtime during Gradle Wrapper updates. Depending on deployment, this may expose credentials/tokens available to the bot and may allow an attacker to modify repositories or access internal resources reachable from the Renovate environment.

Remediation

Upgrading to Renovate 42.68.5 (2025-12-31) fixes this issue, and closes out other risks of shell evaluation for commands run by Renovate.

If using the composer, yarn (v1) or flux managers, please upgrade to 42.74.5 (2026-01-08), as there were follow-up fixes to keep these managers working.

Severity

  • CVSS Score: 6.7 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

renovatebot/renovate (renovate)

v42.68.5

Compare Source

Bug Fixes
  • postUpgradeTasks: always run commands with shell mode (140a777)
  • util/exec: don't use shell by default (f430552)
Documentation
  • self-hosting: note risk of postUpgradeTasks with shell execution (d2872e2)
Code Refactoring
  • github-actions: Simplify line parsing (#​40216) (fb80abb)
  • util/exec: specify the args array for execa (a0a84a4)
  • util/exec: use spawnargs to return error messages (b19c3ee)
Tests
  • only validate subset of arguments to exec (bebff1c)
  • remove encoding from stubs (#​40221) (8fab5f0)
  • util/exec: clarify existing behaviour of shell parameter (d0bee7f)
  • util/exec: document ability to use arguments with spaces (c5c98ea)

v42.68.4

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.9 (main) (#​40224) (51d097e)

v42.68.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.8 (main) (#​40223) (847413f)
Miscellaneous Chores

v42.68.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/containerbase/sidecar docker tag to v13.25.19 (main) (#​40219) (16a1325)
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.7 (main) (#​40220) (9d6553d)

v42.68.1

Compare Source

Bug Fixes
Miscellaneous Chores
  • deps: update dependency pnpm to v10.26.2 (main) (#​40217) (fdbeaba)
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.25.19 (main) (#​40218) (3d8cca4)

v42.68.0

Compare Source

Features
Miscellaneous Chores
  • deps: update containerbase/internal-tools action to v3.14.42 (main) (#​40214) (73c14df)

v42.67.0

Compare Source

Features
Documentation
Miscellaneous Chores
Code Refactoring

v42.66.14

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.6 (main) (#​40207) (ac0e6ae)

v42.66.13

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.5 (main) (#​40206) (a7d4425)
Miscellaneous Chores
Code Refactoring

v42.66.12

Compare Source

Bug Fixes
Documentation
Miscellaneous Chores
Code Refactoring

v42.66.11

Compare Source

Bug Fixes
Miscellaneous Chores

v42.66.10

Compare Source

Bug Fixes

v42.66.9

Compare Source

Build System

v42.66.8

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.4 (main) (#​40161) (7c08a22)
Miscellaneous Chores

v42.66.7

Compare Source

Miscellaneous Chores
Build System
  • deps: update dependency validate-npm-package-name to v7.0.1 (main) (#​40159) (fc5f112)

v42.66.6

Compare Source

Build System

v42.66.5

Compare Source

Build System

v42.66.4

Compare Source

Build System

v42.66.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.3 (main) (#​40148) (5266ce6)

v42.66.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.2 (main) (#​40133) (c5105d0)
Miscellaneous Chores

v42.66.1

Compare Source

Bug Fixes
Miscellaneous Chores
Tests

v42.66.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.20.1 (main) (#​40115) (bbe357e)

v42.65.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/containerbase/sidecar docker tag to v13.25.18 (main) (#​40113) (ef0a84b)
Miscellaneous Chores
  • deps: update dependency pnpm to v10.26.0 (main) (#​40111) (d5b91ba)
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.25.18 (main) (#​40112) (d6f3876)

v42.65.1

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.19.4 (main) (#​40110) (e6dd79a)
Build System
  • deps: update dependency azure-devops-node-api to v15.1.2 (main) (#​40109) (6803124)

v42.65.0

Compare Source

Features
Bug Fixes
  • deps: update ghcr.io/containerbase/sidecar docker tag to v13.25.17 (main) (#​40108) (e659a7c)
Documentation
Miscellaneous Chores

v42.64.1

Compare Source

Build System

v42.64.0

Compare Source

Features
Code Refactoring

v42.63.0

Compare Source

Features
Bug Fixes
  • composer: Remove composer.lock file for lock file maintenance (#​39920) (a30c550)
Miscellaneous Chores

v42.62.0

Compare Source

Features
Bug Fixes
  • deps: update dependency mkdocs-material to v9.7.1 (main) (#​40062) (0646aad)
Documentation
  • gradle: clarify ./gradlew for Verificaton Metadata updates (#​40044) (0723e80)

v42.61.0

Compare Source

Features

v42.60.0

Compare Source

Features
  • presets: add new preset workarounds:clamavDockerImageVersioning (#​40035) (dfde989)
Documentation
Miscellaneous Chores
Code Refactoring

v42.59.1

Compare Source

Bug Fixes

v42.59.0

Compare Source

Features

v42.58.4

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.19.3 (main) (#​40036) (179d527)

v42.58.3

Compare Source

Bug Fixes
Miscellaneous Chores
  • deps: update github/codeql-action action to v4.31.9 (main) (#​40029) (a39c529)

v42.58.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.19.2 (main) (#​40025) (54cf847)

v42.58.1

Compare Source

Miscellaneous Chores
Code Refactoring
Build System

v42.58.0

Compare Source

Features
Bug Fixes
  • add missing type definitions for autoApprove and prTitleStrict (#​40016) (e4dd2d2)
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.19.1 (main) (#​40023) (fde321f)
  • github/vulnerabilityAlerts: don't error on unknown ecosystems (#​39417) (2809af3)
Miscellaneous Chores

v42.57.1

Compare Source

Bug Fixes
Miscellaneous Chores
  • deps: update dependency typescript-eslint to v8.49.0 (main) (#​40012) (0554c76)

v42.57.0

Compare Source

Features

v42.56.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.19.0 (main) (#​40010) (b0b573c)

v42.55.0

Compare Source

Features
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.18.0 (main) (#​40009) (51e96cf)
Miscellaneous Chores

v42.54.3

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.17.7 (main) (#​40005) (0669245)

v42.54.2

Compare Source

Bug Fixes
  • deps: update ghcr.io/containerbase/sidecar docker tag to v13.25.16 (main) (#​40003) (4aae3f7)
Miscellaneous Chores

v42.54.1

Compare Source

Bug Fixes
  • presets: helpers:githubDigestChangelogs should only apply to Git digest updates (#​39995) (1bd574c)

v42.54.0

Compare Source

Features
  • bitbucket: massage markdown for collapsible sections section (#​39720) (aacb026)
Bug Fixes
  • gerrit: pass credentials to api calls in initPlatform (#​39970) (32bf2bf)
  • maven: preserve the original version when versionCompatibility is used for later lookup (#​38906) (1e3d873)
Documentation
  • npm-unpublish: Correct npm unpublish time frame 24h -> 72h (#​39941) (a67d6af)
Miscellaneous Chores
  • minimumReleaseAge: only log once per case of "did not have a releaseTimestamp" (#​39936) (847c980)

v42.53.0

Compare Source

Features
  • replacements: Adds replacement for Docker grafana/grafana-oss to grafana/grafana (#​39512) (d64c669)
Bug Fixes
  • github-actions: handling of quoted Docker image references (#​39635) (fef1439)
  • gitlab: properly massage config migration MR links (#​39474) (32befe2), closes #​32178
  • pip-requirements: Make the version specifier in pip-requirements with extras (e.g. mypackage[myextra]) optional (#​39480) (9499ad6)
Documentation
Miscellaneous Chores

v42.52.8

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.17.6 (main) (#​39984) (67d91e8)

v42.52.7

Compare Source

Bug Fixes
  • deps: update ghcr.io/containerbase/sidecar docker tag to v13.25.15 (main) (#​39983) (95168e0)
Miscellaneous Chores
  • deps: update dependency type-fest to v5.3.1 (main) (#​39980) (9f0440d)
  • deps: update ghcr.io/containerbase/devcontainer docker tag to v13.25.15 (main) (#​39982) (7dd2f12)

v42.52.6

Compare Source

Build System

v42.52.5

Compare Source

Build System
  • deps: update dependency toml-eslint-parser to v0.10.1 (main) (#​39976) (06812d6)

v42.52.4

Compare Source

Bug Fixes
  • deps: update ghcr.io/renovatebot/base-image docker tag to v12.17.5 (main) (#​39975) (5a6308c)
Miscellaneous Chores
  • deps: update dependency markdownlint-cli2 to v0.20.0 (main) (#​39974) (6a1adb6)

[v42.52.3](https://redirect.g

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@github-actions github-actions bot added the dependencies Pull requests that update a dependency file label Feb 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants