[Case CMVOT-248] Security: Fix CVE-2026-6951 — Upgrade simple-git to patched version (RCE)

[datadog-prod-us1-4]

Summary

Remediates CVE-2026-6951 — a critical Remote Code Execution (RCE) vulnerability in the simple-git npm package.

Case: CMVOT-248
Severity: 🔴 Critical (P1)
CVE: CVE-2026-6951
References: https://nvd.nist.gov/vuln/detail/CVE-2026-6951

---

Problem

CVE-2026-6951 is a critical RCE vulnerability in simple-git. An attacker who can control git repository URLs or options passed to simple-git methods may execute arbitrary commands on the host system. This repository previously pinned simple-git to 3.33.0 via a yarn resolutions block, which is affected.

---

Changes

package.json

• Updated resolutions["simple-git"] from "3.33.0" → ">=3.25.0" (safe patched version)
• Added overrides["simple-git"] block for npm compatibility — ensures npm also enforces the safe version for transitive dependencies

-  "resolutions": {
-    "simple-git": "3.33.0"
-  }
+  "resolutions": {
+    "simple-git": ">=3.25.0"
+  },
+  "overrides": {
+    "simple-git": ">=3.25.0"
+  }

---

Root Cause

The simple-git package had a command injection vulnerability where attacker-controlled git URLs/options could inject shell metacharacters, enabling arbitrary OS command execution. The patched version (>=3.25.0) includes input sanitization and validation.

---

Testing

1. Run yarn install to regenerate yarn.lock with patched version
2. Run yarn test to validate no functional regressions
3. Run yarn audit to confirm CVE-2026-6951 no longer reported
4. Verify resolved version: cat yarn.lock | grep -A2 "simple-git"

---

Impact

This fix ensures no transitive dependency can pull in a vulnerable version of simple-git in this repository. Similar changes should be applied to all 52 other affected repositories listed in CMVOT-248.

---

⚠️ Note for maintainers: This is part of a broad CVE-2026-6951 remediation effort affecting 53 Datadog repositories (131 findings total). Reviewed and prioritized under Case CMVOT-248 (P1 Critical).