Node.js dependency check

CVE-2026-13311: shell-quote parse() denial of service self-check

CVE-2026-13311 affects shell-quote before 1.8.5. The risk is availability: a Node.js service that parses untrusted text through this package can spend too long on one request and block useful work on the event loop.

Who should check

  • Node.js apps with shell-quote in package-lock.json, pnpm-lock.yaml, or yarn.lock.
  • APIs, job runners, CI helpers, chat bots, or admin tools that parse user-provided command-like text.
  • Teams that rely on transitive dependencies and have not regenerated lockfiles since the advisory.

Safe self-check

  1. Check the deployed lockfile and runtime image for shell-quote below 1.8.5.
  2. Search your codebase for imports or wrappers around parse() and note whether untrusted text reaches that path.
  3. Review application metrics for long request times, worker restarts, queue lag, or event-loop delay around public endpoints.
  4. Patch to 1.8.5 or newer, rebuild the artifact, and confirm the deployed image uses the patched lockfile.

Evidence to preserve

Keep the affected lockfile, deployment timestamp, Node.js version, service logs, timeout graphs, and any error traces. Do not paste sensitive request bodies into public issue trackers.

When to request help

Ask Ping7 for help when the affected app is internet-facing, the dependency is buried in a larger production image, or timeouts caused a customer-visible outage and you need a clean patch and evidence handoff.

Request CVE repair

References