Bump concurrently to 10.0.3 to resolve shell-quote vulnerability

[frankmueller-msft]

Summary

Bumps concurrently from ^9.2.1 to ^10.0.3 across all workspaces. concurrently@10.0.3 depends on shell-quote@1.8.4, which resolves the command injection vulnerability in shell-quote@1.8.3.

Approach

Per feedback from @Abe27342 and @alexvy86, this bumps to concurrently 10.x rather than patching 9.x. The breaking changes in v10 are minimal and safe for us:

• Dropped support for Node <22 (we already require Node 22)
• Converted to ESM (we only use concurrently as a CLI tool)

Changes:

• Updated concurrently specifier from ^9.2.1 to ^10.0.3 in all package.json files
• Removed the shell-quote: ^1.8.4 override from root pnpm-workspace.yaml (no longer needed)
• Regenerated all 11 lockfiles

CG Alert

Resolves: https://dev.azure.com/fluidframework/internal/_componentGovernance/17385/alert/14301083

[github-actions]

Hi! Thank you for opening this PR. Want me to review it?

Based on the diff (2408 lines, 143 files), I've queued these reviewers:

• Correctness — logic errors, race conditions, lifecycle issues
• Security — vulnerabilities, secret exposure, injection
• API Compatibility — breaking changes, release tags, type design
• Performance — algorithmic regressions, memory leaks
• Testing — coverage gaps, hollow tests

How this works

• Adjust the reviewer set by ticking/unticking boxes above. Reviewer toggles alone don't trigger anything.

• Tick Start review below to dispatch the review fleet.

• After review finishes, tick Start review again to request another run — it auto-resets after each dispatch.

• This comment updates as new commits land; your reviewer selections are preserved.

• Start review

[Copilot]

Copilot reviewed 11 out of 22 changed files in this pull request and generated no comments.

Files not reviewed (11)

• build-tools/pnpm-lock.yaml: Generated file
• common/build/eslint-config-fluid/pnpm-lock.yaml: Generated file
• common/lib/common-utils/pnpm-lock.yaml: Generated file
• common/lib/protocol-definitions/pnpm-lock.yaml: Generated file
• pnpm-lock.yaml: Generated file
• server/gitrest/pnpm-lock.yaml: Generated file
• server/historian/pnpm-lock.yaml: Generated file
• server/routerlicious/pnpm-lock.yaml: Generated file
• tools/api-markdown-documenter/pnpm-lock.yaml: Generated file
• tools/benchmark/pnpm-lock.yaml: Generated file
• website/pnpm-lock.yaml: Generated file

[github-actions]

Fleet Review — Clean

No issues found across the reviewer fleet for this run.

View run

[alexvy86]

I see some inconsistencies (not all lockfiles list the override) but that might be moot because now that the new patch version is updated in the lockfiles, it's very probable the overrides in all the pnpm-workspace.yaml files are now unnecessary. I'd be a bit surprised if something pins its shell-quote dep specifically to 1.8.3 instead of a range that will still be happy with 1.8.4. I'd prefer to keep the list of overrides clean, with only the ones that we must keep so the lockfile doesn't revert to a bad version.

[frankmueller-msft]

Good call — I verified that concurrently@9.2.1 declares an exact dependency on shell-quote: "1.8.3" (no caret/tilde). Without the override, pnpm install will always resolve to the vulnerable version. Since concurrently is present in all 11 workspaces, the override is unfortunately required everywhere.

I've updated the comments in each pnpm-workspace.yaml to make this clear, and added a section to the PR description explaining it.

[alexvy86]

concurrently@9.2.1 declares an exact dependency on shell-quote: "1.8.3"

Ah, unfortunately true. Then my concern about the lockfiles is still valid, it seems like maybe the changes in some lockfiles were just pattern-matched and applied without actually running pnpm install because they don't list shell-quote in their overrides section. The one for build-tools doesn't have it, for example (I didn't look at the rest). So I'd suggest ensuring that we've actually run pnpm install in all workspaces and the lockfiles are fully in sync with what the pnpm-workspace files say.

[frankmueller-msft]

Good catch — the pnpm-10 workspaces had their overrides in pnpm-workspace.yaml, but those are ignored when pnpm.overrides already exists in package.json. Fixed by:

• Moving the override to package.json under pnpm.overrides for all pnpm-10 workspaces (matching the existing pattern there)
• Keeping it in pnpm-workspace.yaml for pnpm-11 workspaces (root, website)
• All lockfiles regenerated via pnpm install — no more pattern-matched edits

[alexvy86]

Not quite sure what's up with the build failures, but the change seems correct to me

[ChumpChief]

Without having looked in detail here, probably need to reconcile with #27556 that already merged

[ChumpChief]

Given that there aren't actual package versions changing in many of these lock files, is the override needed (here and elsewhere)? We should generally keep the override list small for maintenance reasons unless they're needed.

[frankmueller-msft]

@alexvy86 please re-approve after I fixed the build failures

[Abe27342]

Looks like concurrently published security patches to its 9.x branch that also bump shell-quote. Let's just update concurrently instead. I'd actually advocate we go ahead and bump to latest (10.0.3) since the breaking change list on v10 does not look particularly scary (dropped support for node <22, converted to ESM but we only use it via CLI). That should avoid us needing to add any overrides.

[alexvy86]

I agree with Abram, now that we're on Node22, just bumping to concurrently 10.x seems like the best option here.

[alexvy86]

Without having looked in detail here, probably need to reconcile with #27556 that already merged

I'm a bit surprised that PR didn't have weird results once merged... if concurrently pins its dep to 1.8.3, I would expect that just updating the lockfiles across the repo to 1.8.4 without a corresponding override would cause a revert to 1.8.3 during the next install.

[frankmueller-msft]

Updated the PR to use the approach suggested by @tylerbutler — bumped concurrently from 9.2.1 to 9.2.3 directly, which includes shell-quote@1.8.4. Removed the shell-quote override from pnpm-workspace.yaml. All 11 lockfiles now resolve concurrently@9.2.3 with shell-quote@1.8.4 and no shell-quote@1.8.3 remains anywhere.

[frankmueller-msft]

Updated to bump concurrently to ^10.0.3 per @Abe27342 and @alexvy86's suggestion. The v10 breaking changes (Node <22 dropped, ESM-only) are safe for us since we're on Node 22 and only use concurrently via CLI. Removed the shell-quote override as well — no longer needed with concurrently 10.x.

[github-actions]

🔗 No broken links found! ✅

Your attention to detail is admirable.

linkcheck output

1: starting server using command "npm run serve -- --no-open"
and when url "[ 'http://127.0.0.1:3000' ]" is responding with HTTP status code 200
running tests using command "npm run check-links"


> fluid-framework-website@0.0.0 serve
> docusaurus serve --no-open

[SUCCESS] Serving "build" directory at: http://localhost:3000/

> fluid-framework-website@0.0.0 check-links
> linkcheck http://localhost:3000 --skip-file skipped-urls.txt

Crawling...

Stats:
  290924 links
    1934 destination URLs
    2184 URLs ignored
       0 warnings
       0 errors

[github-actions]

Bundle size comparison

Base commit: 6e623128a0f5b61cca32f805e0980b93aab1e5d5
Head commit: 8998c2274594ee5a8b5124e314ee12959f25f2c9

Notable changes

No bundles changed by ≥ 500 bytes parsed.

Per-bundle deltas

@fluid-example/bundle-size-tests

• azureClient.js: parsed 618933 → 618989 (+56), gzip 164788 → 164838 (+50)
• odspClient.js: parsed 591767 → 591823 (+56), gzip 158880 → 158923 (+43)
• aqueduct.js: parsed 525463 → 525498 (+35), gzip 140685 → 140718 (+33)
• fluidFramework.js: parsed 391960 → 391981 (+21), gzip 111092 → 111106 (+14)
• sharedTree.js: parsed 381347 → 381361 (+14), gzip 108487 → 108496 (+9)
• containerRuntime.js: parsed 303813 → 303827 (+14), gzip 83189 → 83197 (+8)
• sharedString.js: parsed 175984 → 175991 (+7), gzip 49445 → 49453 (+8)
• experimentalSharedTree.js: parsed 160798 → 160798 (0), gzip 45804 → 45804 (0)
• matrix.js: parsed 159845 → 159852 (+7), gzip 45411 → 45418 (+7)
• loader.js: parsed 145221 → 145235 (+14), gzip 39052 → 39067 (+15)
• odspDriver.js: parsed 104431 → 104452 (+21), gzip 32647 → 32657 (+10)
• directory.js: parsed 66616 → 66623 (+7), gzip 18532 → 18540 (+8)
• 748.js: parsed 58793 → 58793 (0), gzip 17826 → 17826 (0)
• map.js: parsed 46709 → 46716 (+7), gzip 14310 → 14317 (+7)
• odspPrefetchSnapshot.js: parsed 45650 → 45664 (+14), gzip 15275 → 15284 (+9)
• 594.js: parsed 44493 → 44493 (0), gzip 13744 → 13744 (0)
• summarizerDelayLoadedModule.js: parsed 30753 → 30753 (0), gzip 7767 → 7767 (0)
• socketModule.js: parsed 26486 → 26493 (+7), gzip 7883 → 7891 (+8)
• createNewModule.js: parsed 12480 → 12480 (0), gzip 4786 → 4786 (0)
• summaryModule.js: parsed 3797 → 3797 (0), gzip 1860 → 1860 (0)
• connectionState.js: parsed 724 → 724 (0), gzip 429 → 429 (0)
• sharedTreeAttributes.js: parsed 666 → 673 (+7), gzip 432 → 442 (+10)
• debugAssert.js: parsed 429 → 429 (0), gzip 299 → 299 (0)
• FluidFramework-HashFallback.js: parsed 422 → 422 (0), gzip 316 → 316 (0)

[jason-ha]

@frankmueller-msft, I don't know what happened with the merge message, but the title here "Bump concurrently to 10.0.3 to resolve shell-quote vulnerability" is much better than what was committed "Override shell-quote to ^1.8.4".

[frankmueller-msft]

I agree @jason-ha. I should have updated the merge message.