Update dependency @google/clasp to v3 [SECURITY]

[balena-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@google/clasp	^2.4.1 → ^3.0.0

---

@​google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script

CVE-2026-4092 / GHSA-hqjg-pww4-pcgq

More information

Details

Impact

Allows an attacker to perform a "Path Traversal" attack to modify files outside the projects directory, potentially allowing for running attacker code on the developer's machine.

Patches

Fixed in version 3.2.0

Workarounds

• Only clone or pull scripts from trusted sources
• Review the output of the pull and clone commands to verify only expected project files are modified

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/google/clasp/security/advisories/GHSA-hqjg-pww4-pcgq
• https://nvd.nist.gov/vuln/detail/CVE-2026-4092
• https://github.com/google/clasp/pull/1109
• https://github.com/google/clasp/commit/ba6bd666fe74de54950122b5d92ecf1dcc02a9d3
• https://github.com/google/clasp/releases/tag/v3.2.0
• https://github.com/advisories/GHSA-hqjg-pww4-pcgq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

google/clasp (@​google/clasp)

v3.2.0

Compare Source

Features

• add Claude Code CLI support (#​1111) (56f0e62)
• Add support for comments in project settings file (#​1102) (64acdc2)
• Support custom port for no-localhost login (#​1104) (833eb7c)

Bug Fixes

• Improve validation of credential files (511a060)
• (SECURITY) prevent path traversal in remote file synchronization (#​1109) (ba6bd66)

v3.1.3

Compare Source

Bug Fixes

• Add back redirect port to login cmd to be consistent with current documentation (#​1094) (9e8f717)
• Gemini CLI Extension Path Issue (#​1097) (b466c57)

v3.1.1

Compare Source

Features

• Add config file to make repo a Gemini CLI extension (#​1090) (3b4bb8a)

Bug Fixes

• Separated URL from prompt message to help terminals better detect URL to make it clickable (#​1089) (9d59aa1)
• update Gemini CLI extension config file (#​1092) (62e0dac)

v3.1.0

Compare Source

Features

• Add delete command (#​1050 (3173db0)
• Add script id option to list commands ([#​1060)(#​1066) (4579421)
• Make --json flag global (#​1074 (a415260)

Bug Fixes

• handle unknown severity levels in logs (#​1081) (79fb283)
• Assorted documentation fixes

v2.5.0

Compare Source

Features

• Add support for custom redirect port in clasp login (#​1020) (d55832e)

Bug Fixes

• Don't write files on clone if unable to fetch project (#​824) (b3b292a)
• Rethrow error so command exits with error status (#​1019) (29ac629)

v2.4.2

Compare Source

Bug Fixes

• remove online check (#​936) (6775d9f)

2.4.1 (2021-08-09)

Bug Fixes

• Don't require package.json for simple commands (#​840) (#​862) (ad5d045)
• Fix saving credentials when refreshed. (#​863) (48e6fa3)
• Honor --project CLI option (#​865) (deacf03)
• Shut down embedded server on login faster (40e0b3d)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.