-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2024-21538 | Regular Expression Denial of Service (ReDoS) in cross-spawn | Version Fixed? #167
Comments
Yes it's fixed in 7.0.5. Maybe the CVE database has not been yet updated, however it shows in history:
|
Hi @Scc33 |
cross-spawn has a vulnerability moxystudio/node-cross-spawn#167. This should allow the latest version of the cross-spawn package to work.
I think the CVE database wasn't updated. It's now showing 7.0.5 and 7.0.6 as clean. Thanks! |
cross-spawn has a vulnerability moxystudio/node-cross-spawn#167. This should allow the latest version of the cross-spawn package to work. ## What's the problem this PR addresses? <!-- Describe the rationale of your PR. --> <!-- Link all issues that it closes. (Closes/Resolves #xxxx.) --> ... ## How did you fix it? <!-- A detailed description of your implementation. --> ... ## Checklist <!--- Don't worry if you miss something, chores are automatically tested. --> <!--- This checklist exists to help you remember doing the chores when you submit a PR. --> <!--- Put an `x` in all the boxes that apply. --> - [x] I have read the [Contributing Guide](https://yarnpkg.com/advanced/contributing). <!-- See https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released for more details. --> <!-- Check with `yarn version check` and fix with `yarn version check -i` --> - [x] I have set the packages that need to be released for my changes to be effective. <!-- The "Testing chores" workflow validates that your PR follows our guidelines. --> <!-- If it doesn't pass, click on it to see details as to what your PR might be missing. --> - [x] I will check that all automated PR checks pass before the PR gets reviewed.
Hi everyone, i got dependabot alert for cross-spawn. Which version should i choose? 7.0.5 or 7.0.6? |
Is this CVE still a problem with version 7.0.5+?
Seems like it was fixed by #160 but I'm still seeing it pop up as a vulnerability in my build system even on the newest version.
The text was updated successfully, but these errors were encountered: