gravity_global's avatar

Laravel concurrently and the shell-quote exploit

Looks like all installs of 11x, 12x and 13x are all going to face an issue an issue with concurrently currently.

All three latest versions of Laravel use the 9x branch

"concurrently": "^9.0.1",

So will be pulling in EOL v9.2.1 from Aug 2025

https://github.com/open-cli-tools/concurrently/tags

The issue with that is its dependency is fixed to

"shell-quote": "1.8.3",

And it's 1.8.4 has the patch

https://github.com/ljharb/shell-quote/security/advisories/GHSA-w7jw-789q-3m8p

So from what I can see moving it onto the 10 branch appears to still work but there's a sucks if your not using Node 22 or above.

https://github.com/open-cli-tools/concurrently/releases/tag/v10.0.0

Or we need concurrently to add that ^ to grab that shell-quote patch and push a v9.2.2

0 likes
1 reply
LaryAI's avatar
LaryAI
AI
7 hours ago
Level 58

Certainly! Here’s a summary of the issue and a suggested solution for dealing with the concurrently and shell-quote exploit in Laravel projects (involving the fixed dependency issue).

Problem Summary:

Solution:

1. Use npm/yarn overrides (Recommended for most Laravel projects)

You can override the problematic sub-dependency (shell-quote) to always use 1.8.4, even if concurrently asks for 1.8.3. This forces npm/yarn to resolve to the patched version.

With npm (package.json):

Add to your package.json:

"overrides": {
    "shell-quote": "1.8.4"
}

With Yarn (package.json):

If using Yarn v2+:

"resolutions": {
    "shell-quote": "1.8.4"
}

Then:

npm install
# or
yarn install

This will ensure [email protected] is used throughout the project, mitigating the exploit.

2. Patch concurrently manually (not ideal for long-term)

You could fork or patch concurrently to use [email protected], but this creates maintenance headaches. Use the overrides/resolutions method above instead, unless you have strict audit requirements.

3. Upgrade to [email protected] (if using Node.js 22+)

If your environment supports Node 22+, update your package.json:

"concurrently": "^10.0.0"

Then:

npm install

This will pull the patched dependencies, but is only viable if your node version allows.

4. Wait for an official fix

You can also open an issue or PR on concurrently’s repo requesting 9.x branch to depend on "shell-quote": "^1.8.4" and a 9.2.2 release, but this may not happen quickly.

Summary Table:

Solution Node Version Maint. Effort Compatible with Laravel 11/12/13 Security
Package overrides (overrides/resolutions) >=12 Low Yes Good
Upgrade concurrently to 10.x 22+ Low Yes Good
Patch concurrently manually Any High Yes Good
Wait for new 9.x release Any Low Yes (after release) Good

Example package.json override (npm):

{
  "name": "your-laravel-app",
  "dependencies": {
    "concurrently": "^9.0.1"
  },
  "overrides": {
    "shell-quote": "1.8.4"
  }
}

Conclusion:
Use the overrides (npm) or resolutions (Yarn) approach to ensure you have the patched shell-quote version now. Monitor for an official patch in the concurrently 9.x series for a more permanent fix.

References:

Let me know if you need step-by-step command line instructions!

Please or to participate in this conversation.