chore: bump simple-git 3.35.1 → 3.36.0 (CVE-2026-6951) by yoannmoinet · Pull Request #344 · DataDog/build-plugins · GitHub
Skip to content

chore: bump simple-git 3.35.1 → 3.36.0 (CVE-2026-6951)#344

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
masterfrom
vitrine/security-update-simple-git-3-36-0-cve-2026-6951-a3f72b1c
May 12, 2026
Merged

chore: bump simple-git 3.35.1 → 3.36.0 (CVE-2026-6951)#344
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
masterfrom
vitrine/security-update-simple-git-3-36-0-cve-2026-6951-a3f72b1c

Conversation

@yoannmoinet

@yoannmoinet yoannmoinet commented May 7, 2026

Copy link
Copy Markdown
Member

What and why?

simple-git@3.35.1 is pinned across all published plugin packages and the internal git plugin. It is affected by CVE-2026-6951 (CVSS 9.8), an RCE vulnerability that is an incomplete fix for CVE-2022-25912.

The original patch blocked the -c flag but not the equivalent --config form. An attacker can pass protocol.ext.allow=always via --config to enable RCE through ext:: clones when untrusted input reaches simple-git's options argument.

How?

  • Bumped "simple-git": "3.35.1""3.36.0" (exact pin, no range prefix) in 6 package.json files:
    • packages/plugins/git/package.json
    • packages/published/esbuild-plugin/package.json
    • packages/published/rollup-plugin/package.json
    • packages/published/rspack-plugin/package.json
    • packages/published/vite-plugin/package.json
    • packages/published/webpack-plugin/package.json
  • Ran yarn install to update yarn.lock and the yarn cache (3.36.0 also pulls updated @simple-git/args-pathspec@1.0.3 and @simple-git/argv-parser@1.1.1)
  • Ran yarn cli integrity — passed cleanly, no additional file changes

Fixes RCE vulnerability where `--config protocol.ext.allow=always` could
bypass the previous `-c` patch (CVE-2022-25912 incomplete fix).

Fixes: #342

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@yoannmoinet yoannmoinet marked this pull request as ready for review May 7, 2026 15:05
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit 2a0ebc4 into master May 12, 2026
8 of 9 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the vitrine/security-update-simple-git-3-36-0-cve-2026-6951-a3f72b1c branch May 12, 2026 13:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants