renovate 42.68.3 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the renovate package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Removal of Sensitive Information Before Storage or Transfer renovate is a dependency updater. Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to spawned child processes inheriting and not properly filtering environment variables. An attacker can access sensitive environment variables from the calling process from inside child processes. How to fix Improper Removal of Sensitive Information Before Storage or Transfer? Upgrade `renovate` to version 42.96.3, 43.4.4 or higher.	>=42.68.1 <42.96.3>=43.0.0 <43.4.4
H Command Injection renovate is a dependency updater. Affected versions of this package are vulnerable to Command Injection via the `distributionUrl` parameter in the Gradle Wrapper update process. An attacker can execute arbitrary commands within the runtime environment by injecting shell command substitution syntax into the `distributionUrl` value into the `gradle-wrapper.properties` file. This can lead to unauthorized file access, data exfiltration, or modification of resources accessible to the process. Note: Users of composer, yarn (v1) or flux managers, should consider upgrading to 42.74.5 (2026-01-08), as there were follow-up fixes to keep these managers working. How to fix Command Injection? Upgrade `renovate` to version 42.68.5 or higher.	>=32.124.0 <42.68.5

Vulnerability

Vulnerable Version

Improper Removal of Sensitive Information Before Storage or Transfer

renovate is a dependency updater.

Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer due to spawned child processes inheriting and not properly filtering environment variables. An attacker can access sensitive environment variables from the calling process from inside child processes.

How to fix Improper Removal of Sensitive Information Before Storage or Transfer?

Upgrade renovate to version 42.96.3, 43.4.4 or higher.

>=42.68.1 <42.96.3>=43.0.0 <43.4.4

Command Injection

renovate is a dependency updater.

Affected versions of this package are vulnerable to Command Injection via the distributionUrl parameter in the Gradle Wrapper update process. An attacker can execute arbitrary commands within the runtime environment by injecting shell command substitution syntax into the distributionUrl value into the gradle-wrapper.properties file. This can lead to unauthorized file access, data exfiltration, or modification of resources accessible to the process.

Note:

Users of composer, yarn (v1) or flux managers, should consider upgrading to 42.74.5 (2026-01-08), as there were follow-up fixes to keep these managers working.

How to fix Command Injection?

Upgrade renovate to version 42.68.5 or higher.

>=32.124.0 <42.68.5

renovate@42.68.3 vulnerabilities

Automated dependency updates. Flexible so you don't need to be.

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically