[Snyk] Security upgrade simple-git from 3.27.0 to 3.32.0

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• packages/cli/package.json
• packages/cli/pnpm-lock.yaml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Command Injection SNYK-JS-SIMPLEGIT-16032290	735

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Command Injection

[snyk-io]

This is a minor version upgrade for simple-git from 3.27.0 to 3.32.0. The updates consist of new features, bug fixes, and one deprecation.

Key Changes:

• Deprecation: The git.silent method has been deprecated and will be removed in a future version.
• New Features: Includes support for per-command configuration and allowing repeated git options.
• Bug Fixes: A notable fix ensures git.status correctly identifies the branch name in newly cloned empty repositories.

There are no immediate breaking changes that require code modifications. The upgrade is considered safe.

Source: GitHub CHANGELOG

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[hivel-marco]

PR Complexity Score: 1.4 - Trivial

View Breakdown

• Lines Changed: 38
• Files Changed: 2
• Complexity Added: 0
• Raw Score: 6.76

Overview

This PR updates the CLI package’s git dependency and refreshes the corresponding pnpm lockfile entries. The primary goal is to bump simple-git to a newer version and align the lockfile with the declared dependencies. It also removes an unused pnpm override and ensures meow is explicitly captured in the lockfile.

Key Changes

• Bumped simple-git in packages/cli/package.json from ^3.27.0 to ^3.32.0, with the lockfile resolved to 3.36.0, to pick up newer fixes/features.
• Updated pnpm-lock.yaml to reflect the new simple-git version and its additional internal dependencies (@simple-git/args-pathspec, @simple-git/argv-parser).
• Added explicit meow@13.2.0 resolution to pnpm-lock.yaml to match the declared dependency in package.json.
• Removed the @chargebee/js-framework-adapters override from the lockfile, indicating it is no longer needed for the CLI package.

Risks & Considerations

• The newer simple-git version may introduce subtle behavior changes in any CLI commands that interact with git; existing git-related flows should be smoke-tested.
• New transitive dependencies for simple-git (@simple-git/args-pathspec, @simple-git/argv-parser) add a small surface area for dependency-related issues (e.g., resolution or compatibility).
• Removal of the @chargebee/js-framework-adapters override assumes no remaining implicit reliance on this local link; consumers relying on that override outside this package should verify their setups.

File-level change summary

File	Change summary
packages/cli/package.json	Bumped the simple-git dependency from ^3.27.0 to ^3.32.0.
packages/cli/pnpm-lock.yaml	Regenerated lockfile entries to match updated dependencies, including new simple-git version, added meow entry, new @simple-git/* packages, and removal of an unused override.