Skip to content

chore(deps-dev): Bump just-bash from 3.0.2 to 3.0.3#243

Merged
dependabot-pr-auto-approver[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/just-bash-3.0.3
Jul 8, 2026
Merged

chore(deps-dev): Bump just-bash from 3.0.2 to 3.0.3#243
dependabot-pr-auto-approver[bot] merged 1 commit into
mainfrom
dependabot/npm_and_yarn/just-bash-3.0.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor

Bumps just-bash from 3.0.2 to 3.0.3.

Release notes

Sourced from just-bash's releases.

just-bash@3.0.3

Patch Changes

  • #277 aec5643 Thanks @​mutewinter! - interpreter: avoid lazy import in variable assignment path that trips defense-in-depth (fixes #273)

    Any non-export variable assignment (bare SECRET=s, prefixed SECRET=s cmd, or before a custom command) failed with a defense-in-depth security violation (dynamic import of Node.js builtin 'node:module' is blocked during script execution), while plain commands and export-ed assignments passed.

    processScalarAssignment() resolved isArray via await import("./expansion.js") in two spots. In the bundled dist, that dynamic import() marks expansion.js as a lazily-linked chunk whose createRequire banner imports node:module; the defense layer's ESM resolve hook blocks that builtin import when the sandbox is active and untrusted, so it blocked just-bash's own chunk load. The file already statically imports from ./expansion.js, so isArray is now pulled from that static import and the two lazy imports are removed — no lazy node:module-bearing chunk is linked at runtime. No public API change.

  • #276 1ec5eec Thanks @​mutewinter! - interpreter: preserve leading whitespace in multi-line quoted strings (fixes #259)

    exec() runs each script through normalizeScript(), which trimStart()s leading indentation from lines so indented template-literal scripts parse. It was applied line-by-line and stripped the leading whitespace inside multi-line single- and double-quoted strings too. The visible symptom was python3 -c '...' (and node -e, awk, etc.) with an indented body failing with IndentationError, while the same code via heredoc or pipe worked.

    normalizeScript() is now quote-aware (mirroring the earlier heredoc-aware fix): it only strips indentation from lines that begin outside any quote, and preserves lines that begin inside an unterminated single- or double-quoted string verbatim. This also un-skips four sed spec tests whose indented stdin was previously being corrupted.

  • #286 cb2b583 Thanks @​privatenumber! - interpreter: deliver redirected output to each fd's final target (fixes cmd > file 2>&1 leaking stderr to stdout)

    applyRedirections() processed a command's redirection list sequentially over the result's stdout/stderr strings, moving content at each step. The duplication operators (2>&1, 1>&2) merged into the live stream regardless of where the source fd pointed, so the canonical cmd > file 2>&1 wrote stdout to the file but leaked stderr onto the caller's stdout — including "command not found" errors and custom-command stderr. Any wrapper protocol that parses the enclosing script's stdout (e.g. a runner emitting a JSON payload after eval "$CMD" > "$OUT" 2>&1) saw the leaked stderr corrupt its stream. Ordering variants were wrong in other ways: cmd 2>&1 > file put stderr in the file instead of on stdout, and cmd > a > b wrote content to a instead of b.

    The pass now mirrors how bash sets up fds before running the command: each output redirection only opens/truncates its target and re-points the fd's

... (truncated)

Commits
  • 729fe8f chore: release (#287)
  • cb2b583 fix(interpreter): deliver redirected output to each fd's final target (#286)
  • 1ec5eec fix(interpreter): preserve leading whitespace in multi-line quoted strings (#...
  • aec5643 fix(interpreter): avoid lazy import in assignment path that trips defense-in-...
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [just-bash](https://github.com/vercel-labs/just-bash) from 3.0.2 to 3.0.3.
- [Release notes](https://github.com/vercel-labs/just-bash/releases)
- [Commits](https://github.com/vercel-labs/just-bash/compare/just-bash@3.0.2...just-bash@3.0.3)

---
updated-dependencies:
- dependency-name: just-bash
  dependency-version: 3.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 8, 2026
Copilot AI review requested due to automatic review settings July 8, 2026 03:05
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 8, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@dependabot-pr-auto-approver dependabot-pr-auto-approver Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by dependabot auto-approve workflow

@dependabot-pr-auto-approver dependabot-pr-auto-approver Bot merged commit 04b45fc into main Jul 8, 2026
14 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/just-bash-3.0.3 branch July 8, 2026 05:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant