chore(monorepo): update pnpm.catalog.default zx to v8.8.5 [security]#10

Open

renovate[bot] wants to merge 1 commit into

mainfrom

renovate/npm-zx-vulnerability

renovate Bot commented Dec 16, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
zx (source)	`8.5.0` → `8.8.5`

zx Uses Incorrectly-Resolved Name or Reference

CVE-2025-13437 / GHSA-w87r-vg9q-crqm

More information

Details

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.

Severity

CVSS Score: 5.6 / 10 (Medium)
Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

google/zx (zx)

`v8.8.5`: — Temporary Reservoir

This release fixes the issue, when zx flushes external node_modules on linking #1348 #1349 #1355

Also globby@15.0.0 arrives here.

`v8.8.4`: — Flange Coupling

It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic.
#1344 webpod/ps#15

WMIC will be missing in Windows 11 25H2 (kernel >= 26000)

The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.

https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration

`v8.8.3`: — Sealing Gasket

Continues #1339 to prevent injections via Proxy input or custom toString() manipulations.

`v8.8.2`: — Leaking Valve

Fixes potential cmd injection via kill() method for Windows platform. #1337 #1339. Affects the versions range 8.7.1...8.8.1.

`v8.8.1`: — Turbo Flush

We keep improving the projects internal infra to bring more stability, safety and performance for artifacts.

Featfixes

Applied flags filtration for CLI-driven deps install #1308
Added kill() event logging #1312
Set SIGTERM as kill() fallback signal #1313
Allowed stdio() arg be an array #1311

const p = $({halt: true})`cmd`
p.stdio([stream, 'ignore', 'pipe'])

Enhancements

Added check for zx@lite pkg contents #1317 #1316
Simplified ProcessPromise[asyncIterator] inners #1307
Updated deps: chalk 5.6.0, fs-extra 11.3.1, yaml 2.8.1 #1309 #1323 #1326
Added TS@next to the test matrix #1310
Optimized internal shell setters #1314
Refactored build-publish pipelines and scripts #1319 #1320 #1321 #1322 #1324 #1325 #1327

`v8.8.0`: — Pressure Tested

This release enhances the coherence between the ProcessPromise and the Streams API, eliminating the need for certain script-level workarounds.

✨ New Features

`unpipe()` — Selectively stop piping

You can now call .unpipe() to stop data transfer from a source to a destination without closing any of the pair. #1302

const p1 = $`echo foo && sleep 0.1 && echo bar && sleep 0.1 && echo baz && sleep 0.1 && echo qux`
const p2 = $`echo 1 && sleep 0.15 && echo 2 && sleep 0.1 && echo 3`
const p3 = $`cat`

p1.pipe(p3)
p2.pipe(p3)

setTimeout(() => p1.unpipe(p3), 150)

const { stdout } = await p3
// 'foo\n1\nbar\n2\n3\n'

Many-to-one piping

Multiple sources can now stream into a single destination. All sources complete before the destination closes. #1300

const $h = $({ halt: true })
const p1 = $`echo foo`
const p2 = $h`echo a && sleep 0.1 && echo c && sleep 0.2 && echo e`
const p3 = $h`sleep 0.05 && echo b && sleep 0.1 && echo d`
const p4 = $`sleep 0.4 && echo bar`
const p5 = $h`cat`

await p1
p1.pipe(p5)
p2.pipe(p5)
p3.pipe(p5)
p4.pipe(p5)

const { stdout } = await p5.run()
// 'foo\na\nb\nc\nd\ne\nbar\n'

Piping from rejected processes

Processes that exit with errors can now still pipe their output. The internal recorder retains their stream, status, and exit code. #1296

const p1 = $({ nothrow: true })`echo foo && exit 1`
await p1

const p2 = p1.pipe($({ nothrow: true })`cat`)
await p2

p1.output.toString() // 'foo\n'
p1.output.ok         // false
p1.output.exitCode   // 1

p2.output.toString() // 'foo\n'
p2.output.ok         // false
p2.output.exitCode   // 1

Components versions

Since zx bundles third-party libraries without their package.jsons, their versions weren’t previously visible. You can now access them via the versions static map — including zx itself. #1298 #1295

import { versions } from 'zx'

versions.zx     // 8.7.2
versions.chalk  // 5.4.1

`v8.7.2`: — Copper Crafter

Stability and customizability improvements

Handle nothrow option on ProcessPromise init stage #1288

const o = await $({ nothrow: true })`\033`
o.ok      // false
o.cause   // Error

Handle _snapshot.killSignal value on kill() #1287

const p = $({killSignal: 'SIGKILL'})`sleep 10`
await p.kill()
p.signal  // 'SIGKILL'

Introduced Fail class #1285

import { Fail } from 'zx'

Fail.EXIT_CODES['2'] = 'Custom error message'
Fail.formatErrorMessage = (err: Error, from: string): string =>
  `${err.message} (${from})`

Expose $ as type #1283

import type { $, Options } from 'zx'

const custom$: $ = (pieces: TemplateStringsArray | Partial<Options>, ...args: any[]) => {
  // ... custom implementation
}

Internal tweak ups #1276 #1277 #1278 #1279 #1280 #1281 #1282 #1286 #1289
Described the zx architecture basics. This section helps to better understand the zx concepts and internal logic, and will be useful for those who want to become a project contributor, make tools based on it, or create something similar from scratch. #1290 #1291 #1292

`v8.7.1`: — Pipe Whisperer

Continues v8.7.0: handles new ps() corner case and improves $.kill mechanics on Windows #1266 #1267 #1269 webpod/ps#14

`v8.7.0`: — Solder Savior

Important fixes for annoying flaky bugs

kill() 🐞

We've found an interesting case #1262

const p = $`sleep 1000`
const {pid} = p // 12345
await p.kill()

If we kill the process again, the result might be unexpected:

await ps({pid}) // {pid: 12345, ppid: 67890, command: 'another command', ...}
p.kill()

This happens because the pid may be reused by the system for another process, so we've added extra assertions to prevent indeterminacy:

p.kill()  // Error: Too late to kill the process.
p.abort() // Error: Too late to abort the process.

ps() 🐛

ps() uses wmic internally on Windows, it relies on fragile heuristics to parse the output. We have improved this logic to handle more format variants, but over time (in v9 maybe) we're planning to change the approach.

#1256 #1263 webpod/ps#12 webpod/ingrid#6

const [root] = await ps.lookup({ pid: process.pid })
assert.equal(root.pid, process.pid)

`v8.6.2`: — Flow Unstoppable

Fixes $.prefix & $.postfix values settings via env variables #1261 #1260

`v8.6.1`: — Drain Hero

Use process.env.SHELL as default shell if defined #1252

SHELL=/bin/zsh zx script.js

Accept numeric strings as parseDuration() arg #1249

await sleep(1000)   // 1 second
await sleep('1000') // 1 second

Update docker base image to node:24-alpine #1239
Docs improvements #1242 #1243 #1246 #1248 #1251

`v8.6.0`: — Valve Vanguard

Enabled thenable params processing for $ literals #1237

const a1 = $`echo foo`
const a2 = new Promise((resolve) => setTimeout(resolve, 20, ['bar', 'baz']))

await $`echo ${a1} ${a2}` // foo bar baz

A dozen of internal refactorings #1225 #1226 #1228 #1229 #1230 #1231 #1232 #1233 #1234 #1235 #1236 #1238 #1239
- Deps bumping
- Bytes shrinking
- Docs improvements

`v8.5.5`: — PVC Wizard

Minor feature polish.

ProcessPromise and ProcessOutput lines() getters now accept a custom delimiter #1220 #1218

const cwd = tempdir()
const delimiter = '\0'

const p1 = $({
  cwd
})`touch foo bar baz; find ./ -type f -print0 -maxdepth 1`
(await p1.lines(delimiter)).sort() // ['./bar', './baz', './foo']
  
// or via options
const lines = []
const p2 = $({
  delimiter,
  cwd,
})`find ./ -type f -print0 -maxdepth 1`

for await (const line of p2) {
  lines.push(line)
}

lines.sort() // ['./bar', './baz', './foo']

Handle .nothrow() option in ProcessProcess[AsyncIterator] #1216 #1217
Updates yaml to v2.8.0 #1221

`v8.5.4`: — Pipe Dreamer

Fixed the pipe(file: string) signature type declaration #1208 #1209

`v8.5.3`: — Trap Master

Another portion of JSR related improvements #1193 #1192
Goods refactoring #1195
- Fixes expBackoff implementation
- Sets $.log.output as default spinner() output
- Makes configurable question() I/O
Added Graaljs compatability test #1194
Docs improvements, usage examples updates #1198

`v8.5.2`: — Threaded Perfection

Various JSR fixes #1189 #1186 #1179 #1187
Docs improvements #1185 #1181

Configuration

📅 Schedule: (in timezone America/New_York)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot added the dependencies label

renovate Bot requested a review from a team

December 16, 2025 20:00

renovate Bot requested review from a team and sullivanpj as code owners

December 16, 2025 20:00

renovate Bot added the dependencies label

renovate Bot enabled auto-merge (squash)

December 16, 2025 20:00

Author

renovate Bot commented Dec 16, 2025

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

Branch has one or more failed status checks

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from 17cded0 to db02120 Compare

January 1, 2026 01:26

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from db02120 to b07b993 Compare

January 9, 2026 07:46

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch 2 times, most recently from 84fbfc3 to ce42ec2 Compare

January 24, 2026 07:00

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from ce42ec2 to f8fd335 Compare

February 3, 2026 07:43

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch 2 times, most recently from b9d16b0 to 3e32b1d Compare

February 19, 2026 08:12

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from 3e32b1d to 9b7ef68 Compare

March 8, 2026 10:13

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from 9b7ef68 to f20c59b Compare

April 15, 2026 22:11

socket-security Bot commented Apr 15, 2026 •

edited

Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from f20c59b to 81207ae Compare

April 30, 2026 01:45

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from 81207ae to 521419f Compare

May 13, 2026 04:12

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from 521419f to a98cfb5 Compare

May 22, 2026 03:50


          chore(monorepo): update pnpm.catalog.default zx to v8.8.5 [security]

b0b785c

renovate Bot force-pushed the renovate/npm-zx-vulnerability branch from a98cfb5 to b0b785c Compare

May 30, 2026 11:41

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels