RepoJournal
Shopify

Shopify

Hydrogen, Polaris, and the CLI — the dev platform behind millions of stores

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Mon 11 may
  7. Tue 12 may
  8. Wed 13 may
  9. Thu 14 may
  10. Fri 15 may
  11. Sat 16 may
  12. Tue 19 may
  13. Thu 21 may
  14. Sat 23 may
  15. Wed 27 may
  16. Thu 28 may
  17. Fri 29 may
  18. Sat 30 may
  19. Mon 8 jun
  20. Tue 9 jun
  21. Today 10 jun

The Wire · Showcase

CRITICAL COMMAND INJECTION IN SHOPIFY CLI — PATCH IMMEDIATELY

By RepoJournal · Filed · About Shopify

Shopify CLI's process killer contains a command injection vulnerability on Windows that lets attackers execute arbitrary commands through a malicious PID string.

The vulnerability [1] lives in the treeKill utility, where insufficient PID validation combined with shell-interpreted `child_process.exec` calls opened a direct path to code execution. The fix [2] replaces the broken Number.isNaN check with strict regex validation and swaps exec for spawn to prevent argument interpretation. This is the kind of dormant-until-discovered flaw that affects every developer using the CLI on Windows — upgrade before your next theme push or app deployment.

Beyond the security work, the team spent the last 24 hours hardening test infrastructure and fixing runtime detection. The file watcher now catches new files added during dev sessions [3], which actually matters because files created after startup were silently dropped by the watcher. The test suite is shifting away from filesystem mocks toward real temporary directories , a pattern that catches more bugs in practice. These aren't headline moves, but they're the kind of foundational work that prevents hours of debugging later.

One more fix landed for theme pushes: settings_schema.json now uploads before validator-consumer assets [4], which unblocks fresh dev theme deploys that use the new color_palette setting type. If you've hit the "first push fails, second push works" wall, this is your fix.

Action items

References

  1. [1] 🛡️ Sentinel: [CRITICAL] Fix command injection in treeKill utility Shopify/cli
  2. [2] Merge pull request #7430 from Shopify/sentinel/fix-tree-kill-command-injection-13735669651940213355 Shopify/cli
  3. [3] Detect new files added during dev session in file watcher ↗ Shopify/cli
  4. [4] Upload settings_schema.json before validator-consumer assets ↗ Shopify/cli

FAQ

What changed in Shopify on May 9, 2026?
Shopify CLI's process killer contains a command injection vulnerability on Windows that lets attackers execute arbitrary commands through a malicious PID string.
What should Shopify teams do about it?
Update Shopify CLI immediately to patch command injection vulnerability • If deploying new themes with color_palette settings, upgrade to get the schema upload fix
Which Shopify repositories shipped on May 9, 2026?
Shopify/cli

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.