Skip to content

dependency: update simple-git for CVE-2026-28292#33470

Open
mschile wants to merge 4 commits intodevelopfrom
mschile/simple_git
Open

dependency: update simple-git for CVE-2026-28292#33470
mschile wants to merge 4 commits intodevelopfrom
mschile/simple_git

Conversation

@mschile
Copy link
Contributor

@mschile mschile commented Mar 12, 2026
edited by cursor bot
Loading

  • Closes N/A — security dependency update.

Additional details

  • Why was this change necessary? Security scans reported Improper Handling of Case Sensitivity (CVE-2026-28292) in simple-git.
  • What is affected? @packages/app and @packages/data-context — both depend on simple-git. Upgraded from 3.27.0 to ^3.32.3 (lockfile resolved to 3.33.0).
  • Implementation: Version bump in both package.json files and CHANGELOG entry for 15.12.1.

Note

Medium Risk
Primarily a dependency upgrade, but it affects git-related workflows in the app/data-context and introduces a patch-package override to the vendored simple-git build output, which could cause runtime differences across environments.

Overview
Updates simple-git from 3.27.0 to ^3.32.3 (lockfile resolves to 3.33.0) in @packages/app and @packages/data-context to remediate CVE-2026-28292, and records the change in the 15.12.1 CLI changelog entry.

Adds a patch-package patch for simple-git@3.33.0 adjusting static class field initialization in both CJS and ESM bundles, and updates yarn.lock to reflect the new simple-git and debug dependency versions.

Written by Cursor Bugbot for commit 96c9ecf. This will update automatically on new commits. Configure here.

Steps to test

  • yarn to install updated lockfile.
  • Smoke-check any flows that use git (e.g. project setup, git status in the app). No API changes to simple-git are expected for this upgrade.

How has the user experience changed?

No user-facing behavior change; dependency security update only.

PR Tasks

  • Have tests been added/updated? [na] — dependency upgrade only.
  • Has a PR for user-facing changes been opened in cypress-documentation? [na]
  • Have API changes been updated in the type definitions? [na]

@mschile mschile self-assigned this Mar 12, 2026
@mschile mschile requested a review from cacieprins March 12, 2026 23:03
@cypress
Copy link

cypress bot commented Mar 14, 2026

cypress    Run #69369

Run Properties:  status check passed Passed #69369  •  git commit 96c9ecf096: add package-package since we don't support ES2022
Project cypress
Branch Review mschile/simple_git
Run status status check passed Passed #69369
Run duration 20m 33s
Commit git commit 96c9ecf096: add package-package since we don't support ES2022
Committer Matthew Schile
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 10
Tests that did not run due to a developer annotating a test with .skip  Pending 1112
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 27190
View all changes introduced in this branch ↗︎
UI Coverage  62.34%
  Untested elements 27  
  Tested elements 48  
Accessibility  98.96%
  Failed rules  0 critical   3 serious   1 moderate   0 minor
  Failed elements 19  

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cacieprins cacieprins Awaiting requested review from cacieprins

At least 1 approving review is required to merge this pull request.

Assignees

@mschile mschile

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mschile