Skip to content

fix(release): Prevent script injection via dist_tag input#1668

Merged
ShubhamChaturvedi7 merged 1 commit into
masterfrom
fix/prod-release-dist-tag-script-injection
Jul 15, 2026
Merged

fix(release): Prevent script injection via dist_tag input#1668
ShubhamChaturvedi7 merged 1 commit into
masterfrom
fix/prod-release-dist-tag-script-injection

Conversation

@ShubhamChaturvedi7

Copy link
Copy Markdown
Contributor

Bind the workflow_dispatch dist_tag input to a DIST_TAG environment variable and reference it quoted in the lerna publish run step, instead of interpolating it directly into the inline shell command.

sim: https://t.corp.amazon.com/V2274388505

Issue #, if available:

Description of changes:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Check any applicable:

  • Were any files moved? Moving files changes their URL, which breaks all hyperlinks to the files.

Bind the workflow_dispatch dist_tag input to a DIST_TAG environment
variable and reference it quoted in the lerna publish run step, instead
of interpolating it directly into the inline shell command. This
matches the pattern already used for BRANCH and VERSION_BUMP and
resolves the ACAT script injection finding.

sim: https://t.corp.amazon.com/V2274388505
@ShubhamChaturvedi7 ShubhamChaturvedi7 requested a review from a team as a code owner July 15, 2026 21:41
@ShubhamChaturvedi7 ShubhamChaturvedi7 merged commit d2aee46 into master Jul 15, 2026
24 checks passed
@ShubhamChaturvedi7 ShubhamChaturvedi7 deleted the fix/prod-release-dist-tag-script-injection branch July 15, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants