Skip to content

Update dependency node-notifier to v8 [SECURITY]#209

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate-npm-node-notifier-vulnerability
Open

Update dependency node-notifier to v8 [SECURITY]#209
renovate[bot] wants to merge 1 commit into
masterfrom
renovate-npm-node-notifier-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Nov 26, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
node-notifier ^5.1.2^8.0.0 age confidence

OS Command Injection in node-notifier

CVE-2020-7789 / GHSA-5fw9-fq32-wv5p

More information

Details

This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Severity

  • CVSS Score: 5.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

OS Command Injection in node-notifier

CVE-2020-7789 / GHSA-5fw9-fq32-wv5p

More information

Details

This affects the package node-notifier before 8.0.1. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array.

Severity

  • CVSS Score: 5.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

mikaelbr/node-notifier (node-notifier)

v8.0.1

Compare Source

v8.0.0

Compare Source

Breaking changes:

  • Expire time for notify-send is made to match macOS and Windows with default time of 10 seconds. The API is changed to take seconds as input and converting it to milliseconds before passing it on to notify-send. See #​341.

v7.0.2

Compare Source

  • Updates dependencies
  • Fixes issue with haning Windows notifications when disabled (#​335)

v7.0.1

Compare Source

  • Fixes import of uuid, removes deprecation warnings

v7.0.0

Compare Source

Features
  • NotifySend support for app-name (#​299, see docs)
Breaking Changes
  • All notify messages now have auto bound context to make it easier to pass as variables/arguments (#​306)
  • Updated snoreToast to version 0.7.0 with new input features (#​293)
  • Breaking snoreToast: Sanitizing data now changes "timedout" to "timeout"

v6.0.0

Compare Source

Breaking Changes
  • Dropped support for node v6. As of v6 we currently support node versions 8, 10, and 12 (latest).
  • Updated to the latest version of SnoreToast. This removes support for the wait option in that environment as it is now always on. Prepares the way for other new features added to the WindowsToaster.
Other
  • Update to latest version of dependencies.

v5.4.5

Compare Source

v5.4.4

Compare Source

  • Fixes potential security issue with non-escaping input parameters for notify-send.

v5.4.3

Compare Source

  • Fixes potential security issue with non-escaping input parameters for notify-send.

v5.4.2

Compare Source

  • Updates dependencies

v5.4.1

Compare Source

  • Reverts changes to default timeout as they are causing some issues. See #​271

v5.4.0

Compare Source

  • Prevent Spotlight from indexing terminal-notifier.app (#​238)
  • Changes from legacy url.parse api
  • Adds default timeout to notification center
  • Adds mapping from timeout to expire time for linux
  • Enables the use of WindowsToaster when using WSL (#​260)

v5.3.0

Compare Source

  • Re-adds notifu update.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate-npm-node-notifier-vulnerability branch from b0370ad to 0aacf99 Compare January 21, 2026 15:19
@renovate renovate Bot force-pushed the renovate-npm-node-notifier-vulnerability branch from 0aacf99 to bc38d2c Compare February 13, 2026 19:20
@renovate renovate Bot force-pushed the renovate-npm-node-notifier-vulnerability branch from bc38d2c to 9dff0fc Compare March 13, 2026 11:49
@renovate renovate Bot changed the title chore(deps): update dependency node-notifier to v8 [security] Update dependency node-notifier to v8 [SECURITY] Apr 8, 2026
@renovate renovate Bot changed the title Update dependency node-notifier to v8 [SECURITY] Update dependency node-notifier to v8 [SECURITY] - autoclosed Apr 15, 2026
@renovate renovate Bot closed this Apr 15, 2026
@renovate renovate Bot deleted the renovate-npm-node-notifier-vulnerability branch April 15, 2026 09:47
@renovate renovate Bot changed the title Update dependency node-notifier to v8 [SECURITY] - autoclosed Update dependency node-notifier to v8 [SECURITY] Apr 16, 2026
@renovate renovate Bot reopened this Apr 16, 2026
@renovate renovate Bot force-pushed the renovate-npm-node-notifier-vulnerability branch 2 times, most recently from 9dff0fc to a35d053 Compare April 16, 2026 14:11
@renovate renovate Bot force-pushed the renovate-npm-node-notifier-vulnerability branch from a35d053 to 2ff4f47 Compare April 29, 2026 09:54
@renovate renovate Bot force-pushed the renovate-npm-node-notifier-vulnerability branch from 2ff4f47 to 6ef48e0 Compare May 12, 2026 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants