chore(deps): update dependency simple-git to v3.36.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
simple-git (source)	3.32.3 → 3.36.0

---

simple-git is vulnerable to Remote Code Execution

CVE-2026-6951 / GHSA-hffm-xvc3-vprc

More information

Details

Versions of the package simple-git before 3.36.0 are vulnerable to Remote Code Execution (RCE) due to an incomplete fix for CVE-2022-25912 that blocks the -c option but not the equivalent --config form. If untrusted input can reach the options argument passed to simple-git, an attacker may still achieve remote code execution by enabling protocol.ext.allow=always and using an ext:: clone source.

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-6951
• https://github.com/steveukx/git-js/commit/89a2294febed5dfe737c4c735d936bb6018746a8
• https://gist.github.com/KKC73/02d1d97f3410756095b501fda0ac8ca6
• https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-15456078
• https://github.com/advisories/GHSA-hffm-xvc3-vprc

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

steveukx/git-js (simple-git)

v3.36.0

Compare Source

Minor Changes

• 89a2294: Extend known exploitable configuration keys and per-task environment variables.

  Note - ParsedVulnerabilities from argv-parser is removed in favour of a readonly array of Vulnerability to match usage in simple-git, rolled into the new vulnerabilityCheck for simpler access to the identified issues.

  Thanks to @​zebbern for identifying the need to block core.fsmonitor.
  Thanks to @​kodareef5 for identifying the need to block GIT_CONFIG_COUNT environment variables and --template / merge related config.

Patch Changes

• 1ad57e8: Remove conflicting node:buffer import
• Updated dependencies [89a2294]
• Updated dependencies [675570a]
  • @​simple-git/argv-parser@​1.1.0
  • @​simple-git/args-pathspec@​1.0.3

v3.35.2

Compare Source

Patch Changes

• 0cf9d8c: Improvements for mono-repo publishing pipeline
• Updated dependencies [0cf9d8c]
  • @​simple-git/args-pathspec@​1.0.2
  • @​simple-git/argv-parser@​1.0.3

v3.35.1

Compare Source

Patch Changes

• 0de400e: Update monorepo version handling during publish
• Updated dependencies [0de400e]
  • @​simple-git/argv-parser@​1.0.2

v3.35.0

Compare Source

Minor Changes

• 3d8708b: Updating publish config

Patch Changes

• Updated dependencies [3d8708b]
  • @​simple-git/args-pathspec@​1.0.1
  • @​simple-git/argv-parser@​1.0.1

v3.34.0

Compare Source

Minor Changes

• 2b68331: Revised dependency tree to add helper modules as dependencies in main simple-git

Patch Changes

• 2e1f51c: Enhances scanning of arguments before passing on to the spawned child_process.

  Caters for -c flags prefixing the git task (used when setting global inline config) and suffixing with either -c, --config or --config-env. Detects git config operations that write to the configuration.

• Updated dependencies [2e1f51c]

  • @​simple-git/args-pathspec@​1.0.0
  • @​simple-git/argv-parser@​1.0.0

v3.33.0

Compare Source

Minor Changes

• a263635: Use pathspec wrappers for remote and local paths when running either git.clone or git.mirror to
  avoid leaving them less open for unexpected outcomes when passing unsanitised data into these tasks.

Patch Changes

• e253a0d: Enhanced git -c checks in unsafe plugin.

  Thanks to @​JohannesLks for identifying the issue

---

Configuration

📅 Schedule: (in timezone Europe/Stockholm)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 85.66%. Comparing base (83c5f0a) to head (38cf53f).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #431   +/-   ##
=======================================
  Coverage   85.66%   85.66%           
=======================================
  Files          61       61           
  Lines        1109     1109           
  Branches      235      235           
=======================================
  Hits          950      950           
  Misses        159      159           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.