Popular npm Package shell-quote Patches Critical Command Injection Bug

A critical command-injection vulnerability (CVE-2026-9277) was disclosed in the widely used npm package `shell-quote`: the `quote()` function failed to escape JavaScript newline/line-terminator characters, allowing a literal newline to act as a POSIX shell command separator and enabling execution of a second command. The bug affects versions `1.1.0` through `1.8.3` and is fixed in `1.8.4`; developers are advised to upgrade immediately or apply strict input validation/workarounds.