fix: upgrade simple-git to 3.36.0 to address CVE-2026-6951

Fixes SOU-1032

Updates simple-git from 3.33.0 to 3.36.0 in both @sourcebot/backend
and @sourcebot/web packages to patch a Remote Code Execution
vulnerability where attackers could bypass the CVE-2022-25912 fix
by using --config instead of -c flag.

Code review confirmed that user-controlled inputs are already safely
handled (passed as string arguments rather than in options objects),
providing defense-in-depth alongside this upgrade.

Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>

Author: cursoragent

packages/backend/package.json

@@ -53,7 +53,7 @@
         "posthog-node": "^5.24.15",
         "prom-client": "^15.1.3",
         "redlock": "5.0.0-beta.2",
-        "simple-git": "^3.33.0",
+        "simple-git": "^3.36.0",
         "zod": "^3.25.74"
     }
 }

packages/web/package.json

@@ -183,7 +183,7 @@
     "scroll-into-view-if-needed": "^3.1.0",
     "server-only": "^0.0.1",
     "sharp": "^0.33.5",
-    "simple-git": "^3.33.0",
+    "simple-git": "^3.36.0",
     "slate": "^0.117.0",
     "slate-dom": "^0.116.0",
     "slate-history": "^0.113.1",

yarn.lock

@@ -8047,6 +8047,22 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@simple-git/args-pathspec@npm:^1.0.3":
+  version: 1.0.3
+  resolution: "@simple-git/args-pathspec@npm:1.0.3"
+  checksum: 10c0/91bfc99daa956df28e4efd683cd799f60c6d169fce6adf71a9efa80a6b5938fed4b03e55fa929cfd51aed64f3ada5c1e4edad45a3872dbd94d11924b3258b5bc
+  languageName: node
+  linkType: hard
+
+"@simple-git/argv-parser@npm:^1.1.0":
+  version: 1.1.1
+  resolution: "@simple-git/argv-parser@npm:1.1.1"
+  dependencies:
+    "@simple-git/args-pathspec": "npm:^1.0.3"
+  checksum: 10c0/2c21166f1bb7c4373e7b4e52bd0c7f333e58ea0ff5ac0b6c2d305835f4a2bcad1ef4bcce3cff63312ac55655ea7be3aba4c7c0c41e3ebcb8bee343f65bb92f5e
+  languageName: node
+  linkType: hard
+
 "@smithy/config-resolver@npm:^4.4.17":
   version: 4.4.17
   resolution: "@smithy/config-resolver@npm:4.4.17"
@@ -8633,7 +8649,7 @@ __metadata:
     posthog-node: "npm:^5.24.15"
     prom-client: "npm:^15.1.3"
     redlock: "npm:5.0.0-beta.2"
-    simple-git: "npm:^3.33.0"
+    simple-git: "npm:^3.36.0"
     tsc-watch: "npm:^6.2.0"
     tsx: "npm:^4.21.0"
     typescript: "npm:^5.6.2"
@@ -8924,7 +8940,7 @@ __metadata:
     scroll-into-view-if-needed: "npm:^3.1.0"
     server-only: "npm:^0.0.1"
     sharp: "npm:^0.33.5"
-    simple-git: "npm:^3.33.0"
+    simple-git: "npm:^3.36.0"
     slate: "npm:^0.117.0"
     slate-dom: "npm:^0.116.0"
     slate-history: "npm:^0.113.1"
@@ -20394,14 +20410,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"simple-git@npm:^3.33.0":
-  version: 3.33.0
-  resolution: "simple-git@npm:3.33.0"
+"simple-git@npm:^3.36.0":
+  version: 3.36.0
+  resolution: "simple-git@npm:3.36.0"
   dependencies:
     "@kwsites/file-exists": "npm:^1.1.1"
     "@kwsites/promise-deferred": "npm:^1.1.1"
+    "@simple-git/args-pathspec": "npm:^1.0.3"
+    "@simple-git/argv-parser": "npm:^1.1.0"
     debug: "npm:^4.4.0"
-  checksum: 10c0/463e91f3ee04b7fc445284c64502a4ee3d607f626f18c8bcc036815a30fe178d2216976e683c6368edd7b3093801d6e534deeb8e700a4863a76ef23f881a0712
+  checksum: 10c0/4c22e57107535168f354e5abbbf6e618a7b39d76491ca225c70588520fbe86891f3b9a5c4f8a3fc0137e669aad2f0e11f6c6e677bfec07169cd18f29bf23cb77
   languageName: node
   linkType: hard