GHSA-8wc6-vgrq-x6cf: Child processes spawned by Renovate incorrectly have full access to environment variables
When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.
Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.
This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.
It is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.
References
Code Behaviors & Features
Detect and mitigate GHSA-8wc6-vgrq-x6cf with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →