patch-package
patch-package copied to clipboard
ds300
[SECURITY] Bump cross-spawn, CVE-2024-21538
Summary
This pull request upgrades the cross-spawn dependency to version 7.0.6, addressing a high-severity security vulnerability identified as CVE-2024-21538. The upgrade ensures the application is protected against potential exploitation via a Regular Expression Denial of Service (ReDoS) attack.
Detailed Description
Vulnerability Details
- CVE-2024-21538:
- Description: Versions of the
cross-spawnpackage prior to 7.0.5 are vulnerable to a ReDoS attack. The issue arises from improper input sanitization in regular expressions, allowing attackers to craft malicious strings that significantly increase CPU usage and may lead to application crashes. - Severity: High (CVSS Score: 7.5)
- Patched Versions: v7.0.5 and later
- Description: Versions of the
Changes Made
- Updated the
cross-spawndependency inpackage.jsonto v7.0.6. - Ran
npm install(or equivalent) to regeneratepackage-lock.jsonensuring consistency with the updated version.
Impact on Codebase
- Dependencies:
- This change updates only the
cross-spawnpackage. No other dependencies are affected.
- This change updates only the
- Functionality:
- There are no changes to the application logic or functionality. This is a security-focused dependency update.
- Performance:
- Mitigates potential performance degradation caused by ReDoS attacks in prior versions.
- Security:
- Resolves a high-severity vulnerability, enhancing the overall security posture of the application.
Testing & Validation
- Verified that all existing test cases pass successfully with the updated dependency.
- Manually tested core functionality relying on
cross-spawnto confirm no regressions or issues. - Reviewed the changelog for
cross-spawnv7.0.6 to ensure compatibility with our current usage.
Would be good to get this reviewed / merged rather than relying on npm update cross-spawn
Why do we need this PR? The ^ versions should already cause npm install to install the latest version of those packages. If you already had the package installed, then you can either do an npm update or just nuke node_modules and redo your npm install.
The ^ versions should already cause npm install to install the latest version of those packages.
@YasharF The semantics of npm install / ci are not as straightforward as that - there are situations where the resolver will prefer a lower version of a package if it is already a candidate in package-lock
@nleborgne
Any news on this?
The ^ versions should already include the fixed cross-spawn. To ensure your project uses the latest patched versions, update your npm packages by running either npm update --save or rm -rf package-lock.json && rm -rf node_modules && npm install. If your application breaks due to these updates, itβs important to address compatibility issues within your application to ensure it handles the latest versions appropriately.
If dependency resolution is still forcing an older, vulnerable version of cross-spawn, itβs likely caused by another package in your project. You can investigate the source by running npm ls cross-spawn to identify which package is pulling in the unpatched version. Once pinpointed, you may need to reach out to the developer of that package to address the issue.
In cases where a dependency introduces an unresolved regression or backward incompatibility, pinning a specific version of an npm module in your package.json can be a temporary approach while the issue is being addressed by the package owner. If that pinned version includes a vulnerable version of cross-spawn, you can override it using an override block like the following in your package.json while waiting for an update.
"dependencies": {
...
},
"devDependencies": {
...
},
"overrides": {
"<dependency_name>": {
"<nested_dependency_name>": "<exact_version_or_range>"
}
}
...