Summary
@openapitools/openapi-generator-cli@2.35.0 pins concurrently at exactly 9.2.1, which depends on shell-quote@1.8.3. This version of shell-quote is affected by CVE-2026-9277 (critical severity) — shell-quote quote() does not escape newlines in object .op values.
Dependency chain
@openapitools/openapi-generator-cli@2.35.0
└─ concurrently@9.2.1 (pinned exact)
└─ shell-quote@1.8.3 (vulnerable, < 1.8.4)
Fix
concurrently@10.0.0+ depends on shell-quote@1.8.4 (the patched version). Bumping the concurrently dependency from 9.2.1 to ^10.0.3 (or at minimum a version that pulls in shell-quote >= 1.8.4) would resolve this.
The breaking changes in concurrently v10 are:
- Node.js >= 22 required
- ESM-only
- Prefix colors default to automatic
- Removed
--name-separator flag and killOthers API option
References
Summary
@openapitools/openapi-generator-cli@2.35.0pinsconcurrentlyat exactly9.2.1, which depends onshell-quote@1.8.3. This version ofshell-quoteis affected by CVE-2026-9277 (critical severity) —shell-quote quote()does not escape newlines in object.opvalues.Dependency chain
Fix
concurrently@10.0.0+depends onshell-quote@1.8.4(the patched version). Bumping theconcurrentlydependency from9.2.1to^10.0.3(or at minimum a version that pulls inshell-quote >= 1.8.4) would resolve this.The breaking changes in concurrently v10 are:
--name-separatorflag andkillOthersAPI optionReferences