Skip to content

upgrade cross-spawn dependency #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

upgrade cross-spawn dependency #168

wants to merge 1 commit into from

Conversation

@sandeepkasera
Copy link

@sandeepkasera sandeepkasera commented Nov 22, 2024

This PR upgrades the cross-spawn from version 5.0.1 to 7.0.6.

##Reason for Upgrade
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to
improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well
crafted string.

##Changes Made
Updated package.json

##Linked Issues
Fixes #167

@mgagliardo91
Copy link

mgagliardo91 commented Dec 6, 2024

Can we get this in so we can avoid overriding the cross-spawn dep?

@Tzahile
Copy link

Tzahile commented Mar 13, 2025
edited
Loading

@sandeepkasera I got approved, please push it
(or someone from the contributors @mgagliardo91 @serhii-boiko )

@sandeepkasera
Copy link
Author

sandeepkasera commented Mar 13, 2025

@Tzahile I do not have the necessary permissions to merge this pull request.

@serlight1
Copy link

serlight1 commented May 15, 2025

Can anybody merge this MR? It's really necessary to avoid ReDoS

@kevinfmanning
Copy link

kevinfmanning commented Oct 29, 2025

Can this ACTUALLY get reviewed/merged?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@serhii-boiko serhii-boiko serhii-boiko approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Upgrade cross-spawn Dependency to Address Security Vulnerability (ReDoS)

6 participants

@sandeepkasera @mgagliardo91 @Tzahile @serlight1 @kevinfmanning @serhii-boiko