[Snyk] Security upgrade simple-git from 3.27.0 to 3.36.0

[snyk-io]

Snyk has created this PR to fix 1 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• packages/cli/package.json
• packages/cli/pnpm-lock.yaml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Remote Code Execution (RCE) SNYK-JS-SIMPLEGIT-15456078	735

Breaking Change Risk

Notice: This assessment is enhanced by AI.

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Remote Code Execution (RCE)

[snyk-io]

This is a minor version upgrade for simple-git from 3.27.0 to 3.36.0. The updates primarily consist of new features, bug fixes, and security enhancements.

Key Changes:

• v3.33.0: A security enhancement was introduced where repoPath and localPath are now treated as "pathspec" arguments. This prevents potentially unsafe behavior when using unsanitized data but is not expected to break standard use cases.
• Other versions in this range include new features like support for additional log formats and bug fixes.

No mandatory code modifications are required for this upgrade.

Source: Release notes

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[hivel-marco]

PR Complexity Score: 1.4 - Trivial

View Breakdown

• Lines Changed: 38
• Files Changed: 2
• Complexity Added: 0
• Raw Score: 6.76

Overview

This PR upgrades the simple-git dependency in the CLI package and refreshes the corresponding pnpm-lock.yaml entries. It also removes an unused pnpm override and ensures all dependencies (including meow) are explicitly captured in the lockfile.

Key Changes

• Bumps simple-git from ^3.27.0 to ^3.36.0 to pick up newer features and fixes.
• Updates pnpm-lock.yaml to reflect the new simple-git version, its additional sub-dependencies (@simple-git/args-pathspec, @simple-git/argv-parser), and adds a locked entry for [email protected].
• Removes the pnpm overrides entry for @chargebee/js-framework-adapters, indicating it is no longer needed or used by the CLI package.

Risks & Considerations

• The simple-git version bump may change command parsing or Git interaction semantics; CLI commands that rely heavily on Git operations should be regression-tested.
• New simple-git transitive dependencies (@simple-git/args-pathspec, @simple-git/argv-parser) introduce additional surface area for potential bugs or environment-specific issues.
• Removal of the @chargebee/js-framework-adapters override assumes no remaining consumers rely on the previous link-based resolution.

File-level change summary

File	Change summary
packages/cli/package.json	Updated the simple-git dependency from version ^3.27.0 to ^3.36.0.
packages/cli/pnpm-lock.yaml	Regenerated lockfile entries to remove an override, lock [email protected], and reflect the upgraded simple-git and its new sub-dependencies.