dependency: update simple-git for CVE-2026-28292

[mschile]

• Closes N/A — security dependency update.

Additional details

• Why was this change necessary? Security scans reported Improper Handling of Case Sensitivity (CVE-2026-28292) in simple-git.
• What is affected? @packages/app and @packages/data-context — both depend on simple-git. Upgraded from 3.27.0 to ^3.32.3 (lockfile resolved to 3.33.0).
• Implementation: Version bump in both package.json files and CHANGELOG entry for 15.12.1.

---

Note

Medium Risk
Upgrades a core git integration dependency (simple-git) used by the app/data layer; behavior changes in git command execution or output could impact project setup/status flows. Includes a patch-package override of vendored simple-git build output, which could drift from upstream and affect runtime if the patch no longer applies cleanly.

Overview
Updates @packages/app and @packages/data-context to use simple-git ^3.32.3 (lockfile resolves to 3.33.0) to remediate CVE-2026-28292, and records the change in the 15.12.1 changelog.

Adds a patch-package patch for simple-git@3.33.0 adjusting how TasksPendingQueue.counter is initialized in the published CJS/ESM bundles.

^{Written by Cursor Bugbot for commit db81584. This will update automatically on new commits. Configure here.}

Steps to test

• yarn to install updated lockfile.
• Smoke-check any flows that use git (e.g. project setup, git status in the app). No API changes to simple-git are expected for this upgrade.

How has the user experience changed?

No user-facing behavior change; dependency security update only.

PR Tasks

• Have tests been added/updated? [na] — dependency upgrade only.
• Has a PR for user-facing changes been opened in cypress-documentation? [na]
• Have API changes been updated in the type definitions? [na]

[cypress]

cypress    Run #69375

Run Properties:   Passed #69375  •  db815840ba: Merge branch 'develop' into mschile/simple_git

Project	cypress
Branch Review	mschile/simple_git
Run status	Passed #69375
Run duration	19m 19s
Commit	db815840ba: Merge branch 'develop' into mschile/simple_git
Committer	Matt Schile
View all properties for this run ↗︎

---

Test results
Failures	0
Flaky	13
Pending	1112
Skipped	0
Passing	27193
View all changes introduced in this branch ↗︎

UI Coverage  61.04%
Untested elements	28
Tested elements	47

Accessibility  98.99%
Failed rules	0 critical   3 serious   1 moderate   0 minor
Failed elements	19

[cypress-bot]

Released in 15.13.0.

This comment thread has been locked. If you are still experiencing this issue after upgrading to
Cypress v15.13.0, please open a new issue.