{"id":2356196,"name":"shelljs","ecosystem":"npm","description":"Portable Unix shell commands for Node.js","homepage":"http://github.com/shelljs/shelljs","licenses":"BSD-3-Clause","normalized_licenses":["BSD-3-Clause"],"repository_url":"https://github.com/shelljs/shelljs","keywords_array":["shelljs","bash","unix","shell","makefile","make","jake","synchronous"],"namespace":null,"versions_count":57,"first_release_published_at":"2012-03-02T21:46:14.725Z","latest_release_published_at":"2025-05-09T19:16:39.087Z","latest_release_number":"0.10.0","last_synced_at":"2026-05-29T02:31:02.871Z","created_at":"2022-04-10T00:38:20.660Z","updated_at":"2026-05-29T02:31:02.871Z","registry_url":"https://www.npmjs.com/package/shelljs","install_command":"npm install shelljs","documentation_url":null,"metadata":{"funding":null,"dist-tags":{"latest":"0.10.0"}},"repo_metadata":{"id":2619746,"uuid":"3604157","full_name":"shelljs/shelljs","owner":"shelljs","description":":shell: Portable Unix shell commands for Node.js","archived":false,"fork":false,"pushed_at":"2026-04-16T07:04:53.000Z","size":1707,"stargazers_count":14404,"open_issues_count":100,"forks_count":746,"subscribers_count":168,"default_branch":"main","last_synced_at":"2026-04-23T18:37:41.972Z","etag":null,"topics":["bash","javascript","node","nodejs","shell","shelljs","unix"],"latest_commit_sha":null,"homepage":"https://www.npmjs.com/package/shelljs","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/shelljs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2012-03-02T17:04:47.000Z","updated_at":"2026-04-22T14:49:47.000Z","dependencies_parsed_at":"2023-07-13T15:51:24.361Z","dependency_job_id":"e67652b1-5b15-476f-ad8e-cd772b165cf0","html_url":"https://github.com/shelljs/shelljs","commit_stats":{"total_commits":703,"total_committers":97,"mean_commits":7.247422680412371,"dds":0.6728307254623045,"last_synced_commit":"8a960da8383666024bfdb2eff709a4fdf66333ee"},"previous_names":["arturadib/shelljs"],"tags_count":50,"template":false,"template_full_name":null,"purl":"pkg:github/shelljs/shelljs","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shelljs%2Fshelljs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shelljs%2Fshelljs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shelljs%2Fshelljs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shelljs%2Fshelljs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/shelljs","download_url":"https://codeload.github.com/shelljs/shelljs/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/shelljs%2Fshelljs/sbom","scorecard":{"id":817525,"data":{"date":"2025-08-11","repo":{"name":"github.com/shelljs/shelljs","commit":"4580c00398982618ff075dd4354b0234a1d679dc"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":4.6,"checks":[{"name":"Code-Review","score":1,"reason":"Found 3/30 approved changesets -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":1,"reason":"0 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 1","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/main.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: .github/SECURITY.md:1","Info: Found linked content: .github/SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: .github/SECURITY.md:1","Info: Found text in security policy: .github/SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/shelljs/shelljs/main.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/main.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/shelljs/shelljs/main.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/main.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/shelljs/shelljs/main.yml/main?enable=pin","Warn: npmCommand not pinned by hash: .github/workflows/main.yml:26","Info:   0 out of   2 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of   1 third-party GitHubAction dependencies pinned","Info:   0 out of   1 npmCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: BSD 3-Clause \"New\" or \"Revised\" License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 21 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-23T14:34:13.612Z","repository_id":2619746,"created_at":"2025-08-23T14:34:13.613Z","updated_at":"2025-08-23T14:34:13.613Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32340114,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-26T23:26:28.701Z","status":"online","status_checked_at":"2026-04-27T02:00:06.769Z","response_time":128,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"tags":[]},"repo_metadata_updated_at":"2026-05-26T14:20:24.093Z","dependent_packages_count":32986,"downloads":44601779,"downloads_period":"last-month","dependent_repos_count":230048,"rankings":{"downloads":0.04517671488071705,"dependent_repos_count":0.07094113227632598,"dependent_packages_count":0.0033403389184530176,"stargazers_count":0.8470497140998444,"forks_count":1.4052970108895049,"docker_downloads_count":0.06910668385389686,"average":0.4068185991531237},"purl":"pkg:npm/shelljs","advisories":[{"uuid":"GSA_kwCzR0hTQS00cnE0LTMycnYtNndwNs0icg","url":"https://github.com/advisories/GHSA-4rq4-32rv-6wp6","title":"Improper Privilege Management in shelljs","description":"shelljs is vulnerable to Improper Privilege Management","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2022-01-21T23:37:28.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":7.1,"cvss_vector":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H","references":["https://nvd.nist.gov/vuln/detail/CVE-2022-0144","https://github.com/shelljs/shelljs/commit/d919d22dd6de385edaa9d90313075a77f74b338c","https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c","https://github.com/advisories/GHSA-4rq4-32rv-6wp6"],"source_kind":"github","identifiers":["GHSA-4rq4-32rv-6wp6","CVE-2022-0144"],"repository_url":"https://github.com/shelljs/shelljs","blast_radius":0.0,"created_at":"2022-12-21T16:12:38.007Z","updated_at":"2026-04-27T16:07:57.676Z","epss_percentage":0.0018,"epss_percentile":0.3934,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cnE0LTMycnYtNndwNs0icg","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS00cnE0LTMycnYtNndwNs0icg","packages":[{"ecosystem":"npm","package_name":"shelljs","versions":[{"first_patched_version":"0.8.5","vulnerable_version_range":"\u003c 0.8.5"}],"purl":"pkg:npm/shelljs"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cnE0LTMycnYtNndwNs0icg/related_packages","related_advisories":[]},{"uuid":"GSA_kwCzR0hTQS02NGc3LW12dzYtdjlxas0jWA","url":"https://github.com/advisories/GHSA-64g7-mvw6-v9qj","title":"Improper Privilege Management in shelljs","description":"### Impact\nOutput from the synchronous version of `shell.exec()` may be visible to other users on the same system. You may be affected if you execute `shell.exec()` in multi-user Mac, Linux, or WSL environments, or if you execute `shell.exec()` as the root user.\n\nOther shelljs functions (including the asynchronous version of `shell.exec()`) are not impacted.\n\n### Patches\nPatched in shelljs 0.8.5\n\n### Workarounds\nRecommended action is to upgrade to 0.8.5.\n\n### References\nhttps://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Ask at https://github.com/shelljs/shelljs/issues/1058\n* Open an issue at https://github.com/shelljs/shelljs/issues/new\n","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2022-01-14T21:09:50.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/shelljs/shelljs/security/advisories/GHSA-64g7-mvw6-v9qj","https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/","https://github.com/advisories/GHSA-64g7-mvw6-v9qj"],"source_kind":"github","identifiers":["GHSA-64g7-mvw6-v9qj"],"repository_url":"https://github.com/shelljs/shelljs","blast_radius":0.0,"created_at":"2022-12-21T16:12:38.510Z","updated_at":"2026-05-04T17:10:16.516Z","epss_percentage":null,"epss_percentile":null,"api_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NGc3LW12dzYtdjlxas0jWA","html_url":"https://advisories.ecosyste.ms/advisories/GSA_kwCzR0hTQS02NGc3LW12dzYtdjlxas0jWA","packages":[{"ecosystem":"npm","package_name":"shelljs","versions":[{"first_patched_version":"0.8.5","vulnerable_version_range":"\u003c 0.8.5"}],"purl":"pkg:npm/shelljs"}],"related_packages_url":"https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NGc3LW12dzYtdjlxas0jWA/related_packages","related_advisories":[]}],"docker_usage_url":"https://docker.ecosyste.ms/usage/npm/shelljs","docker_dependents_count":5989,"docker_downloads_count":2100993224,"usage_url":"https://repos.ecosyste.ms/usage/npm/shelljs","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/npm/shelljs/dependencies","status":null,"funding_links":[],"critical":true,"issue_metadata":{"last_synced_at":"2026-03-16T11:29:42.169Z","issues_count":128,"pull_requests_count":164,"avg_time_to_close_issue":36292755.059523806,"avg_time_to_close_pull_request":5637445.14893617,"issues_closed_count":84,"pull_requests_closed_count":141,"pull_request_authors_count":31,"issue_authors_count":104,"avg_comments_per_issue":4.7265625,"avg_comments_per_pull_request":2.0548780487804876,"merged_pull_requests_count":117,"bot_issues_count":0,"bot_pull_requests_count":11,"past_year_issues_count":9,"past_year_pull_requests_count":48,"past_year_avg_time_to_close_issue":803763.75,"past_year_avg_time_to_close_pull_request":698329.5116279069,"past_year_issues_closed_count":4,"past_year_pull_requests_closed_count":43,"past_year_pull_request_authors_count":7,"past_year_issue_authors_count":9,"past_year_avg_comments_per_issue":2.555555555555556,"past_year_avg_comments_per_pull_request":1.5,"past_year_bot_issues_count":0,"past_year_bot_pull_requests_count":9,"past_year_merged_pull_requests_count":34,"issues_url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/repositories/shelljs%2Fshelljs/issues","maintainers":[{"login":"nfischer","count":130,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/nfischer"},{"login":"arturadib","count":1,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/arturadib"}],"active_maintainers":[{"login":"nfischer","count":28,"url":"https://issues.ecosyste.ms/api/v1/hosts/GitHub/authors/nfischer"}]},"versions_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/shelljs/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/shelljs/version_numbers","latest_version_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/shelljs/latest_version","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/shelljs/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/shelljs/related_packages","codemeta_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/packages/shelljs/codemeta","maintainers":[{"uuid":"artur","login":"artur","name":null,"email":"arturadib@gmail.com","url":null,"packages_count":3,"html_url":"https://www.npmjs.com/~artur","role":null,"created_at":"2022-11-10T11:27:04.940Z","updated_at":"2022-11-10T11:27:04.940Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/artur/packages"},{"uuid":"nfischer","login":"nfischer","name":null,"email":"ntfschr@gmail.com","url":null,"packages_count":20,"html_url":"https://www.npmjs.com/~nfischer","role":null,"created_at":"2022-11-10T11:27:04.942Z","updated_at":"2022-11-10T11:27:04.942Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/nfischer/packages"},{"uuid":"freitagbr","login":"freitagbr","name":null,"email":"freitagbr@gmail.com","url":null,"packages_count":3,"html_url":"https://www.npmjs.com/~freitagbr","role":null,"created_at":"2022-11-10T11:27:04.944Z","updated_at":"2022-11-10T11:27:04.944Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/npmjs.org/maintainers/freitagbr/packages"}]}