jestjs
[Bug]: Jest v30.1.3 uses outdated cross-spawn dependency causing security vulnerabilities
Version
30.1.3
Steps to reproduce
Jest v30.1.3 still depends on an outdated version of cross-spawn (7.0.3) through its dependency chain, which contains security vulnerability CVE-2024-21538. This causes security scanners like Trivy to fail CI/CD pipelines.
[email protected] → @jest/[email protected] → [email protected] → [email protected] → cross-spawn@^7.0.3
Expected behavior
Jest should use the latest secure version of cross-spawn (7.0.6+) to avoid security vulnerabilities.
Actual behavior
Jest pulls in [email protected] through [email protected], triggering security alerts.
CVE-2024-21538 causing Trivy scan failures
I build and app on nextjs and dockerize it and then made a ci-cd pipeline which runs: test code analysis Builds docker Image run trivy scans ---> fails because of cross-spawn version 7.0.3 Push image run k-8 deployment file.
Error:
` Node.js (node-pkg)
Total: 1 (HIGH: 1, CRITICAL: 0)
┌────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ ├────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────┤ │ cross-spawn (package.json) │ CVE-2024-21538 │ HIGH │ fixed │ 7.0.3 │ 7.0.5, 6.0.6 │ cross-spawn: regular expression denial of service │ │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2024-21538 │ └────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────┘ `
Additional context
No response
Environment
Environment
Jest version: 30.1.3
Node.js version: 20.x
Package manager: npm
Security scanner: Trivy
I don't see [email protected] getting pulled in v30.1.3 when trying to reproduce your issue. Maybe there's an override somewhere in your project's package.json?
It does'nt show up doing npm ls cross-spawn but when you look into package-lock.json and search for cross-spawn it shows you all cross-spawn versions being used and one of them is version 7.0.3 which is causing issues in deployments due to CVE.
"node_modules/execa": { "version": "5.1.1", "resolved": "https://registry.npmjs.org/execa/-/execa-5.1.1.tgz", "integrity": "sha512-8uSpZZocAZRBAPIEINJj3Lo9HyGitllczc27Eh5YYojjMFMn8yHMDMaUHE2Jqfq05D/wucwI4JGURyXt1vchyg==", "dependencies": { "cross-spawn": "^7.0.3", "get-stream": "^6.0.0", "human-signals": "^2.1.0", "is-stream": "^2.0.0", "merge-stream": "^2.0.0", "npm-run-path": "^4.0.1", "onetime": "^5.1.2", "signal-exit": "^3.0.3", "strip-final-newline": "^2.0.0" }, "engines": { "node": ">=10" }, "funding": { "url": "https://github.com/sindresorhus/execa?sponsor=1" } }
That's incorrect. According to Semantic Versioning, cross-spawn in the snippet you've posted is allowed to be higher in terms of minor version. Indeed, what I've shown was that the installed cross-spawn as 7.0.6 aka the fixed version.
Vuln scanners should take into account what have been installed instead.
Issue is version 7.0.6 is installed but not being use when I uninstall jest and redeploy it works perfectly but with jest and the tests the package-lock.json shows 7.0.3 cross-spawn version is used and it fails the test.
If you use yarn's resolution or npm's overrides then it's possible to have lower version of a dependency getting resolved and pulled from registry.
I have another cross-check and can guarantee to you that latest Jest will pull in [email protected] all the time, except for errors pertaining to non-Jest causes (networks, infras, et cetera)
Jest's dependency [email protected] is outdated. The latest execa version (8.x) uses cross-spawn@^7.0.6.
jest → @jest/core → jest-changed-files → [email protected] → cross-spawn@^7.0.3
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
same issue
npm ls cross-spawn
neon-ts@ /home/erik/code/neon-ts
└─┬ [email protected]
└─┬ @jest/[email protected]
├─┬ @jest/[email protected]
│ └─┬ [email protected]
│ └─┬ [email protected]
│ └── [email protected] deduped
└─┬ [email protected]
└─┬ [email protected]
└── [email protected]
there ins't anyone to respond here very bad
Yeah, not a good sign. I removed jest as a dependency.
there ins't anyone to respond here very bad
Yeah, not a good sign. I removed jest as a dependency.
what did you use then, I'm also thinking of removing it.
there ins't anyone to respond here very bad
Yeah, not a good sign. I removed jest as a dependency.
what did you use then, I'm also thinking of removing it.
I switched to Vitest. It's about 4x faster than jest for my use case.