Update dependency @google/clasp to v3 [SECURITY]

[balena-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@google/clasp	^2.4.1 → ^3.0.0

---

@​google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script

CVE-2026-4092 / GHSA-hqjg-pww4-pcgq

More information

Details

Impact

Allows an attacker to perform a "Path Traversal" attack to modify files outside the projects directory, potentially allowing for running attacker code on the developer's machine.

Patches

Fixed in version 3.2.0

Workarounds

• Only clone or pull scripts from trusted sources
• Review the output of the pull and clone commands to verify only expected project files are modified

Severity

• CVSS Score: 8.7 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

• https://github.com/google/clasp/security/advisories/GHSA-hqjg-pww4-pcgq
• https://nvd.nist.gov/vuln/detail/CVE-2026-4092
• https://github.com/google/clasp/pull/1109
• https://github.com/google/clasp/commit/ba6bd666fe74de54950122b5d92ecf1dcc02a9d3
• https://github.com/google/clasp/releases/tag/v3.2.0
• https://github.com/advisories/GHSA-hqjg-pww4-pcgq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

google/clasp (@​google/clasp)

v3.2.0

Compare Source

Features

• add Claude Code CLI support (#​1111) (56f0e62)
• Add support for comments in project settings file (#​1102) (64acdc2)
• Support custom port for no-localhost login (#​1104) (833eb7c)

Bug Fixes

• Improve validation of credential files (511a060)
• (SECURITY) prevent path traversal in remote file synchronization (#​1109) (ba6bd66)

v3.1.3

Compare Source

Bug Fixes

• Add back redirect port to login cmd to be consistent with current documentation (#​1094) (9e8f717)
• Gemini CLI Extension Path Issue (#​1097) (b466c57)

v3.1.1

Compare Source

Features

• Add config file to make repo a Gemini CLI extension (#​1090) (3b4bb8a)

Bug Fixes

• Separated URL from prompt message to help terminals better detect URL to make it clickable (#​1089) (9d59aa1)
• update Gemini CLI extension config file (#​1092) (62e0dac)

v3.1.0

Compare Source

Features

• Add delete command (#​1050 (3173db0)
• Add script id option to list commands ([#​1060)(#​1066) (4579421)
• Make --json flag global (#​1074 (a415260)

Bug Fixes

• handle unknown severity levels in logs (#​1081) (79fb283)
• Assorted documentation fixes

v2.5.0

Compare Source

Features

• Add support for custom redirect port in clasp login (#​1020) (d55832e)

Bug Fixes

• Don't write files on clone if unable to fetch project (#​824) (b3b292a)
• Rethrow error so command exits with error status (#​1019) (29ac629)

v2.4.2

Compare Source

Bug Fixes

• remove online check (#​936) (6775d9f)

2.4.1 (2021-08-09)

Bug Fixes

• Don't require package.json for simple commands (#​840) (#​862) (ad5d045)
• Fix saving credentials when refreshed. (#​863) (48e6fa3)
• Honor --project CLI option (#​865) (deacf03)
• Shut down embedded server on login faster (40e0b3d)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[balena-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.