Register | Log in

node-shell-quote

quote and parse shell commands

Choose email to subscribe with

general

source: node-shell-quote (main)
version: 1.9.0+~1.7.5-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Bastien Roucariès [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 1.7.4+~1.7.1-1
old-sec: 1.7.4+~1.7.1-1+deb12u1
old-p-u: 1.7.4+~1.7.1-1+deb12u1
stable: 1.7.4+~1.7.1-1
stable-sec: 1.7.4+~1.7.1-1+deb13u1
stable-p-u: 1.7.4+~1.7.1-1+deb13u1
testing: 1.8.4+~1.7.5-1
unstable: 1.9.0+~1.7.5-1

versioned links

1.7.4+~1.7.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.4+~1.7.1-1+deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.7.4+~1.7.1-1+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.8.4+~1.7.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.9.0+~1.7.5-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-shell-quote

action needed

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2026-13311: shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

Created: 2026-06-26 Last update: 2026-06-28 20:30

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2026-13311: shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

Created: 2026-06-26 Last update: 2026-06-28 20:30

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2026-13311: (needs triaging) shell-quote prior to 1.8.5 finalizes parsed tokens in parse() using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse() runs in O(n^2) time relative to the number of input tokens. An attacker who can supply an attacker-controlled string to any code path that calls parse() (no shell metacharacters are required; plain space-separated words suffice) can block the single-threaded Node.js event loop for an extended period with a small input, resulting in a denial of service. There is no code execution or data disclosure; impact is to availability only. Fixed in 1.8.5.

You can find information about how to handle this issue in the security team's documentation.

Created: 2026-06-26 Last update: 2026-06-28 20:30

testing migrations

excuses:
- Migration status for node-shell-quote (1.8.4+~1.7.5-1 to 1.9.0+~1.7.5-1): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Autopkgtest for node-browserify/17.0.1+ds-3: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-outpipe/1.1.1-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-shell-quote/1.9.0+~1.7.5-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Autopkgtest for node-tap/16.3.7+ds3+~cs49.5.20-7: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Test triggered
- ∙ ∙ Lintian check waiting for test results - info
- ∙ ∙ Too young, only 1 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-shell-quote.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- Not considered

news

[2026-06-28] Accepted node-shell-quote 1.9.0+~1.7.5-1 (source) into unstable (Xavier Guimard)
[2026-05-27] Accepted node-shell-quote 1.7.4+~1.7.1-1+deb12u1 (source all) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2026-05-27] Accepted node-shell-quote 1.7.4+~1.7.1-1+deb13u1 (source all) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2026-05-27] node-shell-quote 1.8.4+~1.7.5-1 MIGRATED to testing (Debian testing watch)
[2026-05-26] Accepted node-shell-quote 1.7.4+~1.7.1-1+deb12u1 (source all) into oldstable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2026-05-26] Accepted node-shell-quote 1.7.4+~1.7.1-1+deb13u1 (source all) into stable-security (Debian FTP Masters) (signed by: Xavier Guimard)
[2026-05-23] Accepted node-shell-quote 1.8.4+~1.7.5-1 (source) into unstable (Xavier Guimard)
[2026-01-02] node-shell-quote 1.8.3+~1.7.5-1 MIGRATED to testing (Debian testing watch)
[2025-12-30] Accepted node-shell-quote 1.8.3+~1.7.5-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2025-12-30] Accepted node-shell-quote 1.7.4+~1.7.1-2 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2022-11-21] node-shell-quote 1.7.4+~1.7.1-1 MIGRATED to testing (Debian testing watch)
[2022-11-14] Accepted node-shell-quote 1.7.4+~1.7.1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-03-24] Accepted node-shell-quote 1.7.3+~1.7.1-1~bpo11+1 (source all) into bullseye-backports, bullseye-backports (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-01-11] node-shell-quote 1.7.3+~1.7.1-1 MIGRATED to testing (Debian testing watch)
[2022-01-09] Accepted node-shell-quote 1.7.3+~1.7.1-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2020-02-01] Accepted node-shell-quote 1.7.2-1 (source) into unstable (Nilesh) (signed by: Xavier Guimard)
[2017-08-23] Accepted node-shell-quote 1.6.1+20160617-git72fb5a8ce29b-1 (source all) into unstable, unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)

bugs [bug history graph]

all: 0

links

homepage
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.8.3+~1.7.5-1

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing