RepoJournal
Shopify

Shopify

Hydrogen, Polaris, and the CLI — the dev platform behind millions of stores

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Mon 11 may
  7. Tue 12 may
  8. Wed 13 may
  9. Thu 14 may
  10. Fri 15 may
  11. Sat 16 may
  12. Tue 19 may
  13. Thu 21 may
  14. Sat 23 may
  15. Wed 27 may
  16. Thu 28 may
  17. Fri 29 may
  18. Sat 30 may
  19. Mon 8 jun
  20. Tue 9 jun
  21. Today 10 jun

The Wire · Showcase

SHOPIFY CLI PATCHES SESSION DATA LEAK IN DEBUG LOGS

By RepoJournal · Filed · About Shopify

Shopify CLI just plugged a security hole that was exposing session cookies in debug output, and you need to pull this immediately.

The vulnerability [1] [2] was straightforward but critical: cookies weren't being redacted from debug logs, meaning anyone tailing logs in development could see session data. The fix adds 'cookie' to the sanitized keywords list and updates tests to verify it sticks. This is the kind of silent leak that works its way into production logs if you're not careful.

In parallel cleanup, the team reverted the entire hosted app project [3] after deciding to shelf that feature work. They preserved the asset upload infrastructure so other extension types keep working, but this was a full strategic step back on the admin extensibility roadmap. Worth noting if you were tracking that initiative.

Two smaller refinements landed: filesystem mocks got cleaned up in copy-by-pattern tests [4], and git tag retrieval logic shed some duplication [5]. Both reduce maintenance burden, neither blocks your deploys.

Action items

References

  1. [1] [Security] Redact cookies from debug logs Shopify/cli
  2. [2] Merge pull request #7531 from Shopify/sentinel/redact-cookies-3070110335838284999 Shopify/cli
  3. [3] Revert hosted app project changes ↗ Shopify/cli
  4. [4] Merge pull request #7538 from Shopify/tester/remove-fs-mocks-copy-by-pattern-220001070802494390 Shopify/cli
  5. [5] Merge pull request #7546 from Shopify/jules-refactor-git-tag-duplication-12497117072717296991 Shopify/cli

FAQ

What changed in Shopify on May 21, 2026?
Shopify CLI just plugged a security hole that was exposing session cookies in debug output, and you need to pull this immediately.
What should Shopify teams do about it?
Upgrade Shopify CLI and redeploy any local dev environments using it • Audit your debug logs if you've been running pre-patch CLI versions in shared environments • Watch the hosted app revert rollout if you have downstream dependencies on that feature
Which Shopify repositories shipped on May 21, 2026?
Shopify/cli

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.