High severityNVD Advisory· Published Dec 12, 2022· Updated Apr 22, 2025
Remote Code Execution (RCE)
CVE-2022-25912
Description
The package simple-git before 3.15.0 are vulnerable to Remote Code Execution (RCE) when enabling the ext transport protocol, which makes it exploitable via clone() method. This vulnerability exists due to an incomplete fix of CVE-2022-24066.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
simple-git before 3.15.0 allows RCE via the ext transport protocol when using clone() due to incomplete fix of CVE-2022-24066.
Vulnerability
Overview simple-git versions before 3.15.0 are vulnerable to Remote Code Execution (RCE) when the ext transport protocol is enabled. The vulnerability affects the clone() method, allowing an attacker to inject arbitrary commands. This is due to an incomplete fix of a related vulnerability, CVE-2022-24066 [2].
Attack
Vector An attacker can exploit this by providing specially crafted input to the clone() method that includes the ext protocol. No special privileges are required beyond the ability to influence the clone parameters used by simple-git. The attack surface is exposed when user-supplied data is passed to clone operations [2][4].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the system running the simple-git application. This can lead to full compromise of the host, including data theft, lateral movement, and further system control [2].
Mitigation
The vulnerability is fixed in version 3.15.0. Users should upgrade immediately. The fix disables the use of inline configuration arguments to prevent unintended non-standard remote protocols unless explicitly opted-in via the new allowUnsafeProtocolOverride option [3][4].
References
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
simple-gitnpm | < 3.15.0 | 3.15.0 |
Affected products
2- simple-git/simple-gitdescription
Patches
1774648049eb3Chore: bump lerna, jest and create prettier workflow (#862)
19 files changed · +1586 −1431
.changeset/poor-tools-doubt.md+5 −0 added@@ -0,0 +1,5 @@ +--- +'simple-git': minor +--- + +Disables the use of inline configuration arguments to prevent unitentionally allowing non-standard remote protocols without explicitly opting in to this practice with the new `allowUnsafeProtocolOverride` property having been enabled.
.changeset/skip-hop-jump.md+6 −0 added@@ -0,0 +1,6 @@ +--- +'simple-git': patch +--- + +- Upgrade repo dependencies - lerna and jest +- Include node@19 in the test matrix
.github/delete-merged-branch-config.yml+1 −1 modified@@ -1,3 +1,3 @@ exclude: - - changeset-release/* + - changeset-release/* delete_closed_pr: false
.github/dependabot.yml+4 −4 modified@@ -1,6 +1,6 @@ version: 2 updates: -- package-ecosystem: "github-actions" - directory: "/" - schedule: - interval: "weekly" + - package-ecosystem: 'github-actions' + directory: '/' + schedule: + interval: 'weekly'
.github/FUNDING.yml+0 −1 modified@@ -1,7 +1,6 @@ # These are supported funding model platforms github: [steveukx] - # patreon: # Replace with a single Patreon username # open_collective: # Replace with a single Open Collective username # ko_fi: # Replace with a single Ko-fi username
.github/workflows/changesets.yml+9 −9 modified@@ -9,21 +9,21 @@ jobs: release: runs-on: ubuntu-latest steps: - - name: Checkout Repo + - name: Checkout Repo uses: actions/checkout@v3 with: - fetch-depth: 0 + fetch-depth: 0 - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v3 with: - node-version: 16 + node-version: 18 - - run: yarn --frozen-lockfile - - run: yarn build + - run: yarn --frozen-lockfile + - run: yarn build - - uses: changesets/action@v1 + - uses: changesets/action@v1 with: publish: yarn changeset publish env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{secrets.NPM_AUTH_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_TOKEN: ${{secrets.NPM_AUTH_TOKEN}}
.github/workflows/ci.yml+8 −8 modified@@ -2,32 +2,32 @@ name: CI on: push: - branches: [ main ] + branches: [main] pull_request: - branches: [ main ] + branches: [main] permissions: - contents: read + contents: read jobs: build: runs-on: ubuntu-latest strategy: matrix: - node-version: [14, 16, 18] + node-version: [14, 16, 18, 19] steps: - uses: actions/checkout@v3 - name: Use Node.js ${{ matrix.node-version }} uses: actions/setup-node@v3 with: - node-version: ${{ matrix.node-version }} - cache: yarn + node-version: ${{ matrix.node-version }} + cache: yarn - run: node --version - run: git --version - run: yarn install --frozen-lockfile - run: yarn build - name: Test env: - GIT_AUTHOR_NAME: "Simple Git Tests" - GIT_AUTHOR_EMAIL: "tests@simple-git.dev" + GIT_AUTHOR_NAME: 'Simple Git Tests' + GIT_AUTHOR_EMAIL: 'tests@simple-git.dev' run: yarn test
.github/workflows/quality.yml+23 −0 added@@ -0,0 +1,23 @@ +name: Lint + +on: + push: + branches: [main] + pull_request: + branches: [main] + +permissions: + contents: read + +jobs: + lint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - name: Use Node.js + uses: actions/setup-node@v3 + with: + node-version: 18 + cache: yarn + - run: yarn install --frozen-lockfile + - run: yarn prettier --check .
lerna.json+1 −4 modified@@ -6,10 +6,7 @@ "license": "MIT" } }, - "ignoreChanges": [ - "**/test/**", - "**/*.md" - ], + "ignoreChanges": ["**/test/**", "**/*.md"], "useWorkspaces": true, "version": "2.48.0" }
package.json+1 −1 modified@@ -17,7 +17,7 @@ "dependencies": { "@changesets/changelog-github": "^0.4.2", "@changesets/cli": "^2.20.0", - "lerna": "^5.5.1", + "lerna": "^6.0.3", "prettier": "^2.7.1" } }
packages/babel-config/babel.config.js+4 −4 modified@@ -1,9 +1,9 @@ const { resolve } = require('path'); const { existsSync } = require('fs'); -function resolver() { +function resolver(resolveToDist) { const root = resolve(__dirname, '../..', 'simple-git'); - const dist = resolve(root, 'dist', 'cjs'); + const dist = resolveToDist ? resolve(root, 'dist', 'cjs') : root; const pkg = existsSync(dist) ? dist : root; @@ -19,7 +19,7 @@ function resolver() { ]; } -module.exports = function (resolve = false) { +module.exports = function (resolveToDist = false) { return { presets: [ [ @@ -32,6 +32,6 @@ module.exports = function (resolve = false) { ], '@babel/preset-typescript', ], - plugins: resolve ? [resolver()] : [], + plugins: [resolver(resolveToDist)], }; };
packages/test-utils/src/expectations.ts+1 −1 modified@@ -1,4 +1,4 @@ -import { GitError, GitResponseError } from "simple-git"; +import { GitError, GitResponseError } from 'simple-git'; /** * Convenience for asserting the type and message of a `GitError`
.prettierignore+4 −2 modified@@ -1,3 +1,5 @@ -node_modules +*.md +.changeset dist -CHANGELOG.md +coverage +node_modules
simple-git/package.json+2 −2 modified@@ -23,11 +23,11 @@ "@simple-git/babel-config": "^1.0.0", "@simple-git/test-utils": "^2.0.0", "@types/debug": "^4.1.5", - "@types/jest": "^27.0.3", + "@types/jest": "^29.2.2", "@types/node": "^16", "esbuild": "^0.14.10", "esbuild-node-externals": "^1.4.1", - "jest": "^27.4.5", + "jest": "^29.3.1", "ts-node": "^9.0.0", "typescript": "^4.1.2" },
simple-git/src/git.js+53 −53 modified@@ -69,7 +69,7 @@ function Git(options, plugins) { * @param {string} command * @returns {Git} */ -Git.prototype.customBinary = function(command) { +Git.prototype.customBinary = function (command) { this._executor.binary = command; return this; }; @@ -82,7 +82,7 @@ Git.prototype.customBinary = function(command) { * @param {string} [value] * @returns {Git} */ -Git.prototype.env = function(name, value) { +Git.prototype.env = function (name, value) { if (arguments.length === 1 && typeof name === 'object') { this._executor.env = name; } else { @@ -95,7 +95,7 @@ Git.prototype.env = function(name, value) { /** * List the stash(s) of the local repo */ -Git.prototype.stashList = function(options) { +Git.prototype.stashList = function (options) { return this._runTask( stashListTask( trailingOptionsArgument(arguments) || {}, @@ -116,7 +116,7 @@ function createCloneTask(api, task, repoPath, localPath) { /** * Clone a git repo */ -Git.prototype.clone = function() { +Git.prototype.clone = function () { return this._runTask( createCloneTask('clone', cloneTask, ...arguments), trailingFunctionArgument(arguments) @@ -126,7 +126,7 @@ Git.prototype.clone = function() { /** * Mirror a git repo */ -Git.prototype.mirror = function() { +Git.prototype.mirror = function () { return this._runTask( createCloneTask('mirror', cloneMirrorTask, ...arguments), trailingFunctionArgument(arguments) @@ -141,7 +141,7 @@ Git.prototype.mirror = function() { * @param {string|string[]} from * @param {string} to */ -Git.prototype.mv = function(from, to) { +Git.prototype.mv = function (from, to) { return this._runTask(moveTask(from, to), trailingFunctionArgument(arguments)); }; @@ -150,10 +150,10 @@ Git.prototype.mv = function(from, to) { * * @param {Function} [then] */ -Git.prototype.checkoutLatestTag = function(then) { +Git.prototype.checkoutLatestTag = function (then) { var git = this; - return this.pull(function() { - git.tags(function(err, tags) { + return this.pull(function () { + git.tags(function (err, tags) { git.checkout(tags.latest, then); }); }); @@ -162,7 +162,7 @@ Git.prototype.checkoutLatestTag = function(then) { /** * Pull the updated contents of the current repo */ -Git.prototype.pull = function(remote, branch, options, then) { +Git.prototype.pull = function (remote, branch, options, then) { return this._runTask( pullTask( filterType(remote, filterString), @@ -183,7 +183,7 @@ Git.prototype.pull = function(remote, branch, options, then) { * @param {string} [remote] * @param {string} [branch] */ -Git.prototype.fetch = function(remote, branch) { +Git.prototype.fetch = function (remote, branch) { return this._runTask( fetchTask( filterType(remote, filterString), @@ -201,7 +201,7 @@ Git.prototype.fetch = function(remote, branch) { * @param {boolean} silence * @returns {Git} */ -Git.prototype.silent = function(silence) { +Git.prototype.silent = function (silence) { console.warn( 'simple-git deprecation notice: git.silent: logging should be configured using the `debug` library / `DEBUG` environment variable, this will be an error in version 3' ); @@ -217,7 +217,7 @@ Git.prototype.silent = function(silence) { * @param {Object} [options] * @param {Function} [then] */ -Git.prototype.tags = function(options, then) { +Git.prototype.tags = function (options, then) { return this._runTask( tagListTask(getTrailingOptions(arguments)), trailingFunctionArgument(arguments) @@ -228,7 +228,7 @@ Git.prototype.tags = function(options, then) { * Rebases the current working copy. Options can be supplied either as an array of string parameters * to be sent to the `git rebase` command, or a standard options object. */ -Git.prototype.rebase = function() { +Git.prototype.rebase = function () { return this._runTask( straightThroughStringTask(['rebase', ...getTrailingOptions(arguments)]), trailingFunctionArgument(arguments) @@ -238,7 +238,7 @@ Git.prototype.rebase = function() { /** * Reset a repo */ -Git.prototype.reset = function(mode) { +Git.prototype.reset = function (mode) { return this._runTask( resetTask(getResetMode(mode), getTrailingOptions(arguments)), trailingFunctionArgument(arguments) @@ -248,7 +248,7 @@ Git.prototype.reset = function(mode) { /** * Revert one or more commits in the local working copy */ -Git.prototype.revert = function(commit) { +Git.prototype.revert = function (commit) { const next = trailingFunctionArgument(arguments); if (typeof commit !== 'string') { @@ -264,7 +264,7 @@ Git.prototype.revert = function(commit) { /** * Add a lightweight tag to the head of the current branch */ -Git.prototype.addTag = function(name) { +Git.prototype.addTag = function (name) { const task = typeof name === 'string' ? addTagTask(name) @@ -276,7 +276,7 @@ Git.prototype.addTag = function(name) { /** * Add an annotated tag to the head of the current branch */ -Git.prototype.addAnnotatedTag = function(tagName, tagMessage) { +Git.prototype.addAnnotatedTag = function (tagName, tagMessage) { return this._runTask( addAnnotatedTagTask(tagName, tagMessage), trailingFunctionArgument(arguments) @@ -287,7 +287,7 @@ Git.prototype.addAnnotatedTag = function(tagName, tagMessage) { * Check out a tag or revision, any number of additional arguments can be passed to the `git checkout` command * by supplying either a string or array of strings as the first argument. */ -Git.prototype.checkout = function() { +Git.prototype.checkout = function () { const commands = ['checkout', ...getTrailingOptions(arguments, true)]; return this._runTask(straightThroughStringTask(commands), trailingFunctionArgument(arguments)); }; @@ -299,21 +299,21 @@ Git.prototype.checkout = function() { * @param {string} startPoint (e.g origin/development) * @param {Function} [then] */ -Git.prototype.checkoutBranch = function(branchName, startPoint, then) { +Git.prototype.checkoutBranch = function (branchName, startPoint, then) { return this.checkout(['-b', branchName, startPoint], trailingFunctionArgument(arguments)); }; /** * Check out a local branch */ -Git.prototype.checkoutLocalBranch = function(branchName, then) { +Git.prototype.checkoutLocalBranch = function (branchName, then) { return this.checkout(['-b', branchName], trailingFunctionArgument(arguments)); }; /** * Delete a local branch */ -Git.prototype.deleteLocalBranch = function(branchName, forceDelete, then) { +Git.prototype.deleteLocalBranch = function (branchName, forceDelete, then) { return this._runTask( deleteBranchTask(branchName, typeof forceDelete === 'boolean' ? forceDelete : false), trailingFunctionArgument(arguments) @@ -323,7 +323,7 @@ Git.prototype.deleteLocalBranch = function(branchName, forceDelete, then) { /** * Delete one or more local branches */ -Git.prototype.deleteLocalBranches = function(branchNames, forceDelete, then) { +Git.prototype.deleteLocalBranches = function (branchNames, forceDelete, then) { return this._runTask( deleteBranchesTask(branchNames, typeof forceDelete === 'boolean' ? forceDelete : false), trailingFunctionArgument(arguments) @@ -336,7 +336,7 @@ Git.prototype.deleteLocalBranches = function(branchNames, forceDelete, then) { * @param {Object | string[]} [options] * @param {Function} [then] */ -Git.prototype.branch = function(options, then) { +Git.prototype.branch = function (options, then) { return this._runTask( branchTask(getTrailingOptions(arguments)), trailingFunctionArgument(arguments) @@ -348,14 +348,14 @@ Git.prototype.branch = function(options, then) { * * @param {Function} [then] */ -Git.prototype.branchLocal = function(then) { +Git.prototype.branchLocal = function (then) { return this._runTask(branchLocalTask(), trailingFunctionArgument(arguments)); }; /** * Executes any command against the git binary. */ -Git.prototype.raw = function(commands) { +Git.prototype.raw = function (commands) { const createRestCommands = !Array.isArray(commands); const command = [].slice.call(createRestCommands ? arguments : commands, 0); @@ -380,32 +380,32 @@ Git.prototype.raw = function(commands) { return this._runTask(straightThroughStringTask(command, this._trimmed), next); }; -Git.prototype.submoduleAdd = function(repo, path, then) { +Git.prototype.submoduleAdd = function (repo, path, then) { return this._runTask(addSubModuleTask(repo, path), trailingFunctionArgument(arguments)); }; -Git.prototype.submoduleUpdate = function(args, then) { +Git.prototype.submoduleUpdate = function (args, then) { return this._runTask( updateSubModuleTask(getTrailingOptions(arguments, true)), trailingFunctionArgument(arguments) ); }; -Git.prototype.submoduleInit = function(args, then) { +Git.prototype.submoduleInit = function (args, then) { return this._runTask( initSubModuleTask(getTrailingOptions(arguments, true)), trailingFunctionArgument(arguments) ); }; -Git.prototype.subModule = function(options, then) { +Git.prototype.subModule = function (options, then) { return this._runTask( subModuleTask(getTrailingOptions(arguments)), trailingFunctionArgument(arguments) ); }; -Git.prototype.listRemote = function() { +Git.prototype.listRemote = function () { return this._runTask( listRemotesTask(getTrailingOptions(arguments)), trailingFunctionArgument(arguments) @@ -415,7 +415,7 @@ Git.prototype.listRemote = function() { /** * Adds a remote to the list of remotes. */ -Git.prototype.addRemote = function(remoteName, remoteRepo, then) { +Git.prototype.addRemote = function (remoteName, remoteRepo, then) { return this._runTask( addRemoteTask(remoteName, remoteRepo, getTrailingOptions(arguments)), trailingFunctionArgument(arguments) @@ -425,15 +425,15 @@ Git.prototype.addRemote = function(remoteName, remoteRepo, then) { /** * Removes an entry by name from the list of remotes. */ -Git.prototype.removeRemote = function(remoteName, then) { +Git.prototype.removeRemote = function (remoteName, then) { return this._runTask(removeRemoteTask(remoteName), trailingFunctionArgument(arguments)); }; /** * Gets the currently available remotes, setting the optional verbose argument to true includes additional * detail on the remotes themselves. */ -Git.prototype.getRemotes = function(verbose, then) { +Git.prototype.getRemotes = function (verbose, then) { return this._runTask(getRemotesTask(verbose === true), trailingFunctionArgument(arguments)); }; @@ -443,7 +443,7 @@ Git.prototype.getRemotes = function(verbose, then) { * @param {string[]} options * @param {Function} [then] */ -Git.prototype.remote = function(options, then) { +Git.prototype.remote = function (options, then) { return this._runTask( remoteTask(getTrailingOptions(arguments)), trailingFunctionArgument(arguments) @@ -456,7 +456,7 @@ Git.prototype.remote = function(options, then) { * @param {string[]} options * @param {Function} [then] */ -Git.prototype.tag = function(options, then) { +Git.prototype.tag = function (options, then) { const command = getTrailingOptions(arguments); if (command[0] !== 'tag') { @@ -471,7 +471,7 @@ Git.prototype.tag = function(options, then) { * * @param {Function} [then] */ -Git.prototype.updateServerInfo = function(then) { +Git.prototype.updateServerInfo = function (then) { return this._runTask( straightThroughStringTask(['update-server-info']), trailingFunctionArgument(arguments) @@ -485,7 +485,7 @@ Git.prototype.updateServerInfo = function(then) { * @param {string} [remote] * @param {Function} [then] */ -Git.prototype.pushTags = function(remote, then) { +Git.prototype.pushTags = function (remote, then) { const task = pushTagsTask( { remote: filterType(remote, filterString) }, getTrailingOptions(arguments) @@ -497,7 +497,7 @@ Git.prototype.pushTags = function(remote, then) { /** * Removes the named files from source control. */ -Git.prototype.rm = function(files) { +Git.prototype.rm = function (files) { return this._runTask( straightThroughStringTask(['rm', '-f', ...asArray(files)]), trailingFunctionArgument(arguments) @@ -510,7 +510,7 @@ Git.prototype.rm = function(files) { * * @param {string|string[]} files */ -Git.prototype.rmKeepLocal = function(files) { +Git.prototype.rmKeepLocal = function (files) { return this._runTask( straightThroughStringTask(['rm', '--cached', ...asArray(files)]), trailingFunctionArgument(arguments) @@ -526,15 +526,15 @@ Git.prototype.rmKeepLocal = function(files) { * @param {string[]} [options] * @param {Function} [then] */ -Git.prototype.catFile = function(options, then) { +Git.prototype.catFile = function (options, then) { return this._catFile('utf-8', arguments); }; -Git.prototype.binaryCatFile = function() { +Git.prototype.binaryCatFile = function () { return this._catFile('buffer', arguments); }; -Git.prototype._catFile = function(format, args) { +Git.prototype._catFile = function (format, args) { var handler = trailingFunctionArgument(args); var command = ['cat-file']; var options = args[0]; @@ -556,7 +556,7 @@ Git.prototype._catFile = function(format, args) { return this._runTask(task, handler); }; -Git.prototype.diff = function(options, then) { +Git.prototype.diff = function (options, then) { const task = filterString(options) ? configurationErrorTask( 'git.diff: supplying options as a single string is no longer supported, switch to an array of strings' @@ -566,14 +566,14 @@ Git.prototype.diff = function(options, then) { return this._runTask(task, trailingFunctionArgument(arguments)); }; -Git.prototype.diffSummary = function() { +Git.prototype.diffSummary = function () { return this._runTask( diffSummaryTask(getTrailingOptions(arguments, 1)), trailingFunctionArgument(arguments) ); }; -Git.prototype.applyPatch = function(patches) { +Git.prototype.applyPatch = function (patches) { const task = !filterStringOrStringArray(patches) ? configurationErrorTask( `git.applyPatch requires one or more string patches as the first argument` @@ -583,7 +583,7 @@ Git.prototype.applyPatch = function(patches) { return this._runTask(task, trailingFunctionArgument(arguments)); }; -Git.prototype.revparse = function() { +Git.prototype.revparse = function () { const commands = ['rev-parse', ...getTrailingOptions(arguments, true)]; return this._runTask( straightThroughStringTask(commands, true), @@ -597,7 +597,7 @@ Git.prototype.revparse = function() { * @param {string[]} [options] * @param {Function} [then] */ -Git.prototype.show = function(options, then) { +Git.prototype.show = function (options, then) { return this._runTask( straightThroughStringTask(['show', ...getTrailingOptions(arguments, 1)]), trailingFunctionArgument(arguments) @@ -606,7 +606,7 @@ Git.prototype.show = function(options, then) { /** */ -Git.prototype.clean = function(mode, options, then) { +Git.prototype.clean = function (mode, options, then) { const usingCleanOptionsArray = isCleanOptionsArray(mode); const cleanMode = (usingCleanOptionsArray && mode.join('')) || filterType(mode, filterString) || ''; @@ -618,7 +618,7 @@ Git.prototype.clean = function(mode, options, then) { ); }; -Git.prototype.exec = function(then) { +Git.prototype.exec = function (then) { const task = { commands: [], format: 'utf-8', @@ -637,7 +637,7 @@ Git.prototype.exec = function(then) { * * @returns {Git} */ -Git.prototype.clearQueue = function() { +Git.prototype.clearQueue = function () { // TODO: // this._executor.clear(); return this; @@ -649,14 +649,14 @@ Git.prototype.clearQueue = function() { * @param {string|string[]} pathnames * @param {Function} [then] */ -Git.prototype.checkIgnore = function(pathnames, then) { +Git.prototype.checkIgnore = function (pathnames, then) { return this._runTask( checkIgnoreTask(asArray(filterType(pathnames, filterStringOrStringArray, []))), trailingFunctionArgument(arguments) ); }; -Git.prototype.checkIsRepo = function(checkType, then) { +Git.prototype.checkIsRepo = function (checkType, then) { return this._runTask( checkIsRepoTask(filterType(checkType, filterString)), trailingFunctionArgument(arguments)
simple-git/src/lib/plugins/timout-plugin.ts+2 −2 modified@@ -1,6 +1,6 @@ -import { SimpleGitOptions } from '../types'; +import type { SimpleGitPlugin } from './simple-git-plugin'; -import { SimpleGitPlugin } from './simple-git-plugin'; +import type { SimpleGitOptions } from '../types'; import { GitPluginError } from '../errors/git-plugin-error'; export function timeoutPlugin({
simple-git/test/integration/broken-chains.spec.ts+8 −3 modified@@ -1,6 +1,11 @@ -import { isPromiseFailure, promiseError, promiseResult } from "@kwsites/promise-result"; -import { assertGitError, createTestContext, newSimpleGit, SimpleGitTestContext } from "@simple-git/test-utils"; -import { SimpleGit } from "../../typings"; +import { isPromiseFailure, promiseError, promiseResult } from '@kwsites/promise-result'; +import { + assertGitError, + createTestContext, + newSimpleGit, + SimpleGitTestContext, +} from '@simple-git/test-utils'; +import { SimpleGit } from '../../typings'; /* The broken chains test assures the behaviour of both standard and Promise wrapped versions
simple-git/test/integration/plugin.abort.spec.ts+10 −10 modified@@ -32,16 +32,16 @@ describe('timeout', () => { const repos = await Promise.all('abcdef'.split('').map((p) => context.dir(p))); - await Promise.all( - repos.map((baseDir) => { - const git = newSimpleGit({ baseDir, abort }); - if (baseDir.endsWith('a')) { - return promiseError(git.init().then(() => controller.abort())); - } - - return promiseError(git.clone(upstream, baseDir)); - }) - ); + repos.map((baseDir) => { + const git = newSimpleGit({ baseDir, abort }); + if (baseDir.endsWith('a')) { + return promiseError(git.init()); + } + return promiseError(git.clone(upstream, baseDir)); + }); + + await wait(0); + controller.abort(); const results = await Promise.all( repos.map((baseDir) => newSimpleGit(baseDir).checkIsRepo())
yarn.lock+1444 −1326 modified
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-9p95-fxvg-qgq2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25912ghsaADVISORY
- github.com/steveukx/git-js/blob/main/docs/PLUGIN-UNSAFE-ACTIONS.md%23overriding-allowed-protocolsghsaWEB
- github.com/steveukx/git-js/commit/774648049eb3e628379e292ea172dccaba610504ghsaWEB
- github.com/steveukx/git-js/releases/tag/simple-git%403.15.0ghsaWEB
- security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3153532ghsaWEB
- security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221ghsaWEB
News mentions
0No linked articles in our index yet.