RepoJournal
Shopify

Shopify

Hydrogen, Polaris, and the CLI — the dev platform behind millions of stores

Pick a date

The Wire · Showcase

SHOPIFY CLI PATCHES DNS REBINDING HOLE IN THEME DEV

By RepoJournal · Filed · About Shopify

A critical security vulnerability in theme dev could let malicious sites steal data through DNS rebinding attacks, and Shopify shipped the fix overnight.

The CLI now maintains a strict allowlist of localhost variants (localhost, 127.0.0.1, ::1, 0.0.0.0) and validates every incoming request against it [1], closing a hole that could expose developer data when running theme dev alongside untrusted browser tabs. On the reliability front, E2E cleanup got overhauled to handle the dashboard failures that were leaving orphaned apps behind [2], with per-app retry logic and safer name parsing that should eliminate the stale pagination cursor problems teams hit during bulk discovery. Analytics metadata for app and theme commands was getting lost after the bundled CLI switched to dual module graphs [3], which broke observability on those commands and got fixed to properly thread metadata through the build. The CLI also extended ExtensionInstance.deployConfig to surface app configuration data to extensions like Flow actions [4], unblocking downstream work that needs access to application URLs and settings.

Action items

References

  1. [1] create allowlist for localhost variants and validate host on requests ↗ Shopify/cli
  2. [2] Fix E2E cleanup ↗ Shopify/cli
  3. [3] Fix analytics metadata for app/theme ↗ Shopify/cli
  4. [4] [Feature] Extend ExtensionInstance.deployConfig to include app config info ↗ Shopify/cli
  5. [5] Show actionable error when vite is missing in Hydrogen CLI ↗ Shopify/hydrogen

FAQ

What changed in Shopify on June 12, 2026?
A critical security vulnerability in theme dev could let malicious sites steal data through DNS rebinding attacks, and Shopify shipped the fix overnight.
What should Shopify teams do about it?
Update Shopify CLI immediately - DNS rebinding vulnerability in theme dev • Monitor Hydrogen preview release - new build step added to check workflow • Verify Hydrogen setup has vite installed before running CLI commands
Which Shopify repositories shipped on June 12, 2026?
Shopify/cli, Shopify/hydrogen

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.