Advisories for Npm/Renovate package

When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to. Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to. This could lead to insider attackers and outside attackers being …

The user-provided string packageName in the npm manager is appended to the npm install command during lock maintenance without proper sanitization.

The user-provided chart name in the kustomize manager is appended to the helm pull –untar command without proper sanitization.

The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization.

The user-provided string repository in the helmv3 manager is appended to the helm registry login command without proper sanitization.

Renovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious distributionUrl in gradle/wrapper/gradle-wrapper.properties can lead to command execution in the Renovate runtime.

The user-provided string depName in the gleam manager is appended to the gleam deps update command without proper sanitization.

Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands.

Impact Applies to Azure DevOps users only. The bot's token may be exposed in server or pipeline logs due to the http.extraheader=AUTHORIZATION parameter being logged without redaction. It is recommended that Azure DevOps users revoke their existing bot credentials and generate new ones after upgrading if there's a potential that logs have been saved to a location that others can view. Patches Fixed Workarounds Do not share Renovate logs with …

Go Modules Vulnerability Disclosure Impact Temporary repository tokens were leaked into Pull Requests comments in during certain Go Modules update failure scenarios. Patches The problem has been patched. Self-hosted users should upgrade to v19.38.7 or later. Workarounds Disable Go Modules support. References Blog post: https://renovatebot.com/blog/go-modules-vulnerability-disclosure For more information If you have any questions or comments about this advisory: Open an issue in Renovate Email us at support@renovatebot.com