Upgrade cross-spawn Dependency to Address Security Vulnerability (ReDoS) #167
Comments
|
Hi, are there any updates for this issues? |
|
I'm happy to take ownership or co-author the fix if you're interested. |
|
I think this project need new owner |
|
NPM really needs a "disregard CVE" feature.. Are you really going to let your production project and it's users direct access to commit on your project or let them execute unsanitized commands with cross-spawn ? If you do, you have other things to worry about than ReDos, I don't know why it's even rated high in cross-spawn. There is no logic to the CVE rating in NPM While it would be nice to upgrade, this is not a real vulnerability |
|
@Tofandel As much as I agree with everything that you wrote, the last commit on this repo was 6 years ago, everything is left unanswered, PRs and requests to collaborate or transfer ownership are ignored — all of this is just uncool, simply speaking. (I mean, I myself have a history of abandoning the open source projects that outlived their purposes, but the very least I could do is to update the README to include This is no longer maintained, please consider the following alternatives for those few folks who trusted my humble contributions to OSS). |
pre-commit/package.json
Line 33 in a84bdc8
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
Details of the issue:
Package: cross-spawn
Current version: ^5.0.1
Vulnerable versions: <7.0.5
Fixed version: >=7.0.5
Impact: Increased CPU usage or crash due to ReDoS
The text was updated successfully, but these errors were encountered: