Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: unlock cross-spawn range #6606

Merged
merged 6 commits into from
Nov 25, 2024
Merged

chore: unlock cross-spawn range #6606

merged 6 commits into from
Nov 25, 2024

Conversation

lswith
Copy link
Contributor

@lswith lswith commented Nov 19, 2024
edited
Loading

cross-spawn has a vulnerability moxystudio/node-cross-spawn#167.

This should allow the latest version of the cross-spawn package to work.

What's the problem this PR addresses?

...

How did you fix it?

...

Checklist

  • I have set the packages that need to be released for my changes to be effective.
  • I will check that all automated PR checks pass before the PR gets reviewed.

lswith and others added 5 commits November 19, 2024 15:51
@lswith
Update cross-spawn
c281908 
cross-spawn has a vulnerability moxystudio/node-cross-spawn#167.

This should allow the latest version of the cross-spawn package to work.
@lswith
update the yarn.lock file
c734855
@lswith
patch yarnpkg-core
1e5c58e
@lswith
update yarnpkg-shell
e91e05d
@lswith
release everything else
d174808
merceyz
merceyz requested changes Nov 19, 2024
View reviewed changes
Copy link
Member

@merceyz merceyz left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Based on moxystudio/node-cross-spawn#160 this seems unlikely to be an issue we should be concerned about but I'm fine with unlocking the dependency version so consumers of the npm packages can pick up the patched version.

.yarn/versions/ce18c01f.yml Outdated Show resolved Hide resolved
@merceyz merceyz changed the title Update cross-spawn chore: unlock cross-spawn range Nov 19, 2024
@lswith lswith requested a review from merceyz November 19, 2024 22:09
@mjdavidson
Copy link

hey @merceyz do you know when this will be merged?

@merceyz merceyz added this pull request to the merge queue Nov 25, 2024
Merged via the queue into yarnpkg:master with commit cc2f719 Nov 25, 2024
26 checks passed
@yermulnik
Copy link

Apologies for the dumb question as I'm not familiar with npm at all; do I get it right that this PR should fix the below npm atdit report?

# npm audit report

cross-spawn  7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/cross-spawn
  @yarnpkg/core  *
  Depends on vulnerable versions of @yarnpkg/shell
  Depends on vulnerable versions of cross-spawn
  node_modules/@yarnpkg/core
    renovate  0.0.0-semantic-release || 22.22.0 - 22.22.2 || >=22.[23](https://github.com/super-linter/super-linter/actions/runs/11959522598/job/33342323914?pr=6379#step:5:24).0
    Depends on vulnerable versions of @yarnpkg/core
    node_modules/renovate
  @yarnpkg/shell  *
  Depends on vulnerable versions of cross-spawn
  node_modules/@yarnpkg/shell

4 high severity vulnerabilities

If yes, then could you please give a hint on when @yarnpkg/core is going to pick this update up and get a new release cut? Thanks.

The other PR to fix the same vuln (just linking for visibility): #6605

@yermulnik yermulnik mentioned this pull request Nov 25, 2024
Merged
10 tasks
@merceyz
Copy link
Member

merceyz commented Nov 25, 2024
edited
Loading

Note that this isn't an issue you should be worried about.
When a package can pass arguments to cross-spawn why go for a ReDoS when it has shell access.

do I get it right that this PR should fix the below npm atdit report?

Maybe, it unlocks the SemVer range so you can pick up the patched version.

If yes, then could you please give a hint on when @yarnpkg/core is going to pick this update up and get a new release cut?

I've created a new release now.

@yermulnik
Copy link

Note that this isn't an issue you should be worried about.

And I'm not =) But the required check fails because of the npm audit for the linked PR I created in another repo 🤷🏻

If yes, then could you please give a hint on when @yarnpkg/core is going to pick this update up and get a new release cut?

I've created a new release now.

Thank you.

@merceyz merceyz mentioned this pull request Nov 25, 2024
Closed
3 tasks
@lswith lswith deleted the patch-1 branch November 25, 2024 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@merceyz merceyz merceyz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@lswith @mjdavidson @yermulnik @merceyz