-
-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix-vuln: patch cross-spawn to fix ReDoS vulnerability #60
base: main
Are you sure you want to change the base?
fix-vuln: patch cross-spawn to fix ReDoS vulnerability #60
Conversation
Please let me know if there's anything I can do to help get this merged |
+1 |
1 similar comment
+1 |
Any news? |
From the commit history, it seems like only @isaacs is authoring and committing in this project these past few years. He's also involved in other major projects (like glob and npm), so my assumption is that he's busy and will get to this when possible. |
I have just nudged cross-spawn up to the new patch ( Running
|
+1 |
2 similar comments
+1 |
+1 |
bump |
Can you validate and merge that fix please ? |
+1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Severity : High 7.5 / 10
EPSS score: 0.045% (17th percentile)
Weaknesses : https://github.com/advisories?query=cwe%3A1333
CVE ID : CVE-2024-21538
GHSA ID : GHSA-3xgq-45jj-v275
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's OK 👍
Thanks for all the approvals. What kind of timeline are we looking at, for a merge? |
We hope that it will be merged soon, thanks to @pablokurskii ! |
None of the 4 reviewers who have approved this MR so far, have write-access in this repo |
To be clear, this PR is entirely unnecessary because it's using |
hi @ljharb, I know that it's using |
Updating this package won't cause npm to be updated, though, because npm bundles its deps - meaning, you can ask npm to do the update in its next version without any changes in this package. It's not that it hurts to make this change - it's that literally anyone who thinks this PR will help them is misinformed, and is already empowered to help themselves (except if you depend on npm, but npm shouldn't be available in production anyways) |
Thanks for sharing your insights @ljharb I see CVEs with high scores flying around on open source projects, and I figure I can try to give a hand, basically. This PR is about fixing the foreground-child vuln. If and when the fix is released, I'll open a similar PR in the glob repo. Then I'll open a PR in the tsoa repo. Even with what you say about npm, I don't know that this PR is "entirely unnecessary". If you disagree please say so -- I'm willing to listen and I'm trying to help |
foreground-child doesn’t have a vuln - that’s not how vulnerabilities work. only cross-spawn does, and you can update it in your own application to no longer be vulnerable. None of the dependencies in between your app and cross-spawn need to be touched, or bothered, or helped - that’s the entire point of semver ranges, so that everyone can quietly just fix their own problems whenever they come up without volunteer unpaid maintainers needing to put in additional time. |
You're right, I just misspoke.
I did, but thanks for pointing it out.
This feels like you're trying to make me feel bad, which I don't get. Then again social stuff is not my forte. Assuming you want left alone, I'll unsub from this PR and be fine with whatever happens to it |
I’m not, really - i just want to be very clear to any participants, subscribers, or future readers how semver ranges and lockfiles and vulns work together. |
@ljharb, I updated the cross-spawn version in my packages, but when the pipeline builds, I still encounter this vulnerability. Even though the cross-spawn package is updated to version 7.0.6, the Trivy scan found this vulnerability in the base image packages. In the Dockerfile, I’m using the 23-alpine3.19 base image. Should Node.js build the image with updated packages, or is there another solution? |
yes, in this case it's coming from bundled npm, which means npm has to update and release, and then node has to update (or you can |
@ljharb from my understanding this PR is needed, at least for the edits to the package-lock.json. As you pointed out, in the package.json the dependency on cross-spawn is unpinned and thus consumers should be able to install a higher version locally. However, when I look at the package-lock.json currently on the main branch there is a version of cross-spawn that is pinned at 7.0.3. I may be misunderstanding how this works but I believe this is what's causing consumers problems. |
@Moriahzimm you are; package-lock.json is dev-only, and can't ever have any effect on consumers of the package when installed. |
Hi! Thanks for putting open-source code out there. I appreciate you.
Context
I analyzed one of my projects on Snyk and noticed a high vulnerability from somewhere down my dependency chain.
@tsoa/[email protected] › [email protected] › [email protected] › [email protected]
It turns out cross-spawn < 7.0.5 is the problem. The fix is as simple as to update to that patch number or above. (Source: https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230)
What this PR accomplishes
This PR updates the cross-spawn dependency to its lates patch version number: 7.0.5, published two days ago.
Approach and tests
I've simply ran
npm audit fix
on the project, thennpm test
. Here's the output I saw: