fix: upgrade simple-git to 3.36.0 to address CVE-2026-6951

[brendan-kellam]

Fixes SOU-1032

Summary

This PR upgrades simple-git from 3.33.0 to 3.36.0 in both the @sourcebot/backend and @sourcebot/web packages to address CVE-2026-6951, a high-severity Remote Code Execution vulnerability.

Vulnerability Details

The vulnerability allows attackers to bypass the previous fix for CVE-2022-25912 by using the --config long-form flag instead of the -c short-form flag (which was already blocked). An attacker who can supply untrusted input to simple-git's options argument could:

1. Enable protocol.ext.allow=always via --config
2. Use an ext:: clone source to execute arbitrary shell commands via git's external protocol handler

This results in full remote code execution on the server.

Changes

• Updated simple-git dependency from ^3.33.0 to ^3.36.0 in packages/backend/package.json
• Updated simple-git dependency from ^3.33.0 to ^3.36.0 in packages/web/package.json
• Updated yarn.lock to reflect the new version

Security Review

I reviewed all usages of simple-git in the codebase and confirmed that:

1. User-controlled data is handled safely: Repository URLs, refs, and paths are passed as string arguments to git commands, not as part of the options object where this vulnerability could be exploited
2. Input validation is already in place:
   • Git refs starting with - are rejected to prevent flag injection
   • File paths are validated to prevent directory traversal and null byte attacks
3. Config usage is controlled: The -c flag is only used with hardcoded, safe configuration values (e.g., core.quotePath=false, http.extraHeader)

This upgrade provides defense-in-depth by closing the --config bypass vector, even though our existing code patterns were not directly vulnerable.

References

• CVE-2026-6951
• Snyk Advisory
• Fix Commit

Linear Issue: SOU-1032

  

Summary by CodeRabbit

• Bug Fixes
  • Upgraded a critical dependency across backend and web to address a remote code execution security vulnerability (CVE-2026-6951) and updated the changelog to reflect the fix.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d2d5c3be-87fa-4c25-ad1a-e142b32ee68f

📥 Commits

Reviewing files that changed from the base of the PR and between d02ae37 and 4ea0fb6.

📒 Files selected for processing (1)

• CHANGELOG.md

---

Walkthrough

This PR updates the simple-git dependency from ^3.33.0 to ^3.36.0 across backend and web packages to address CVE-2026-6951, an RCE vulnerability via --config bypass. A changelog entry documents the security fix.

Changes

Security Dependency Upgrade

Layer / File(s)	Summary
Changelog Documentation CHANGELOG.md	Added entry under Unreleased/Fixed documenting the simple-git upgrade to 3.36.0 addressing CVE-2026-6951.
Dependency Version Bumps packages/backend/package.json, packages/web/package.json	simple-git version constraint bumped from ^3.33.0 to ^3.36.0 in both backend and web package manifests.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• msukkari

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading simple-git to address a critical security vulnerability (CVE-2026-6951).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cursor/fix-simple-git-cve-6700

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

License Audit

⚠️ Status: PASS

Metric	Count
Total packages	2070
Resolved (non-standard)	20
Unresolved	0
Strong copyleft	0
Weak copyleft	39

Weak Copyleft Packages (informational)

Package	Version	License
@img/sharp-libvips-darwin-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.0.5	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linux-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64	1.2.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.0.4	LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64	1.2.4	LGPL-3.0-or-later
@img/sharp-wasm32	0.33.5	LGPL-3.0-or-later
@img/sharp-wasm32	0.34.5	LGPL-3.0-or-later
@img/sharp-win32-arm64	0.34.5	LGPL-3.0-or-later
@img/sharp-win32-ia32	0.33.5	LGPL-3.0-or-later
@img/sharp-win32-ia32	0.34.5	LGPL-3.0-or-later
@img/sharp-win32-x64	0.33.5	LGPL-3.0-or-later
@img/sharp-win32-x64	0.34.5	LGPL-3.0-or-later
axe-core	4.10.3	MPL-2.0
dompurify	3.4.0	MPL-2.0
lightningcss	1.32.0	MPL-2.0
lightningcss-android-arm64	1.32.0	MPL-2.0
lightningcss-darwin-arm64	1.32.0	MPL-2.0
lightningcss-darwin-x64	1.32.0	MPL-2.0
lightningcss-freebsd-x64	1.32.0	MPL-2.0
lightningcss-linux-arm-gnueabihf	1.32.0	MPL-2.0
lightningcss-linux-arm64-gnu	1.32.0	MPL-2.0
lightningcss-linux-arm64-musl	1.32.0	MPL-2.0
lightningcss-linux-x64-gnu	1.32.0	MPL-2.0
lightningcss-linux-x64-musl	1.32.0	MPL-2.0
lightningcss-win32-arm64-msvc	1.32.0	MPL-2.0
lightningcss-win32-x64-msvc	1.32.0	MPL-2.0

Resolved Packages (20)

Package	Version	Original	Resolved	Source
@react-grab/cli	0.1.23	UNKNOWN	MIT	GitHub repo aidenybai/react-grab and node_modules LICENSE file
@react-grab/cli	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab and node_modules LICENSE file
@react-grab/mcp	0.1.29	UNKNOWN	MIT	GitHub repo aidenybai/react-grab and node_modules LICENSE file
@sentry/cli	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-darwin	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-linux-arm	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-linux-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-linux-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-linux-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-win32-arm64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-win32-i686	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
@sentry/cli-win32-x64	2.58.5	FSL-1.1-MIT	FSL-1.1-MIT	extracted from license field; Functional Source License 1.1 with MIT future grant (Sentry, source-available)
codemirror-lang-elixir	4.0.0	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/codemirror-lang-elixir license API
element-source	0.0.3	UNKNOWN	MIT	LICENSE file in published package (node_modules/element-source/LICENSE)
lezer-elixir	1.1.2	UNKNOWN	Apache-2.0	GitHub repo livebook-dev/lezer-elixir license API
map-stream	0.1.0	UNKNOWN	MIT	GitHub repo dominictarr/map-stream license API
memorystream	0.3.1	UNKNOWN	MIT	GitHub repo JSBizon/node-memorystream license API
pause-stream	0.0.11	["MIT","Apache2"]	MIT OR Apache-2.0	extracted from object (license array) and verified via LICENSE file in dominictarr/pause-stream
posthog-js	1.369.0	SEE LICENSE IN LICENSE	Apache-2.0	LICENSE file in PostHog/posthog-js GitHub repo
valid-url	1.0.9	UNKNOWN	MIT	LICENSE file in ogt/valid-url GitHub repo