This repository was archived by the owner on Jun 24, 2026. It is now read-only.

Update dependency yeoman-environment to v6 [SECURITY]#230

Open

renovate[bot] wants to merge 1 commit into

mainfrom

renovate/npm-yeoman-environment-vulnerability

renovate Bot commented May 26, 2026 •

edited

Loading

Contributor

This PR contains the following updates:

Package	Change	Age	Confidence
yeoman-environment (source)	`^3.15.1` → `^6.0.0`

yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

CVE-2026-42089 / GHSA-vv9j-gjw2-j8wp

More information

Details

Impact

yeoman-environment versions >= 2.9.0 and < 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap.

The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user.

Patches

Upgrade to yeoman-environment 6.0.1, which adds an interactive confirmation prompt before installation (PR #753).

Workarounds

None.

Resources

Fix commit 78d2af7

Severity

CVSS Score: 8.6 / 10 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

yeoman/environment (yeoman-environment)

`v6.0.1`

What's Changed

fix: ask before installing local packages by @mshima in #753
chore(release): bump version to v6.0.1 by @github-actions[bot] in #757

Full Changelog: yeoman/environment@v6.0.0...v6.0.1

`v6.0.0`

🚀 yeoman-environment v6 – Release Notes

Switch to @yeoman/adapter v4 (and inquirer v13) by default.
Some behavior changes may happen.

`v5.1.3`

fix: only fallback to import if requiring fails with esm/async error (#716) e4fb745

`v5.1.2`

fix: use globbySync to resolve PNPM global node_modules paths (#692) 4317fef

`v5.1.1`

feat: lookup for generators in pnpm global folder (#680) 2fcd028

`v5.1.0`

chore(deps): bump globby from 15.0.0 to 16.0.0 (#676) cd962ec
chore(deps): bump @yeoman/conflicter from 3.0.0 to 4.0.0 (#677) 04a104b
chore(deps): bump globby from 14.1.0 to 15.0.0 (#662) 5d39217
feat: add generatorLookupOptions option (#674) a301ab8
fix: expose missing types (#673) 4de747f

`v5.0.0`

chore(deps): bump locate-path from 7.2.0 to 8.0.0 (#657) db2a7ce
chore(deps): bump untildify from 5.0.0 to 6.0.0 (#658) d63caf6
chore: add @yeoman/adapter to peerDependencies (#656) ca2fa1d

`v4.4.3`

chore: accept @yeoman/transform v2 f36bdf2

`v4.4.2`

chore: allow @yeoman/adapter v2.0.0 ad43a3a
update badge adda673

`v4.4.1`

What's Changed

Bump tar from 6.2.0 to 6.2.1 by @dependabot in #523
Bump ejs from 3.1.9 to 3.1.10 by @dependabot in #527
add bun support as a package manager by @kravetsone in #532

New Contributors

@kravetsone made their first contribution in #532

Full Changelog: yeoman/environment@v4.4.0...v4.4.1

`v4.4.0`

add callback function support for generator scheduling (#521) 1c3ff69

`v4.3.0`

add meta to the generator instance (#515) a48ee47

`v4.2.1`

fix customizeNamespace type dbd6955 146ac0e

`v4.2.0`

add option to customize namespaces (#511) 3e4b12f
allow to run generators using relative paths. (#507) cd68282
add an additional dependency to peer dependencies. (#506) bfac25b

`v4.1.3`

fix change event api usage c4c3ac6

`v4.1.2`

queue commit only if changed file is pending 2af3410

`v4.1.1`

fix findFeature api and type 29eb6b0

`v4.1.0`

feat: expose findFeature 9cc5518 aa6c0d2
chore: test adjusts 6a2cc4e e929644
chore: dependencies updates e04a888 07a1d5e

`v4.0.0`

requireGenerator type adjust.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot force-pushed the renovate/npm-yeoman-environment-vulnerability branch 2 times, most recently from 356c3a6 to a0b58ef Compare

June 1, 2026 23:43

renovate Bot force-pushed the renovate/npm-yeoman-environment-vulnerability branch 3 times, most recently from 0421fa0 to 1838162 Compare

June 11, 2026 11:13


          Update dependency yeoman-environment to v6 [SECURITY]

773b79a

renovate Bot force-pushed the renovate/npm-yeoman-environment-vulnerability branch from 1838162 to 773b79a Compare

June 23, 2026 09:07

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet