This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+13 more
Affected surfaces
ReleasePort's take
Moderate signalRelease v0.8.0‑next.2 patches CVE-2026-9277 by upgrading the shell-quote dependency to ^1.8.4.
Why it matters: CVE severity is critical (severity 90); upgrade to version ^1.8.4 immediately if using shell-quote in production environments.
Summary
AI summaryFixed CVE-2026-9277 by overriding shell-quote to ^1.8.4.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Patches CVE-2026-9277 by upgrading shell-quote dependency to ^1.8.4. Patches CVE-2026-9277 by upgrading shell-quote dependency to ^1.8.4. Source: llm_adapter@2026-06-10 Confidence: high |
— |
| Bugfix | Medium |
Fixes doctor/setup consistency and adds self‑contained Android SDK bootstrap in CLI. Fixes doctor/setup consistency and adds self‑contained Android SDK bootstrap in CLI. Source: llm_adapter@2026-06-10 Confidence: high |
— |
Full changelog
What's Changed
- fix(deps): override shell-quote to ^1.8.4 (CVE-2026-9277) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/247
- fix(cli): doctor/setup consistency + self-contained Android SDK bootstrap by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/248
- chore: release v0.8.0-next.2 (prerelease, dist-tag next) by @jo-duchan in https://github.com/jo-duchan/tapflow/pull/249
Full Changelog: https://github.com/jo-duchan/tapflow/compare/v0.8.0-next.1...v0.8.0-next.2
Security Fixes
- CVE-2026-9277 — override shell-quote to ^1.8.4
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About Tapflow
All releases →Beta — feedback welcome: [email protected]