Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Backport GHSA-3xgq-45jj-v275 #165

Closed
G-Rath opened this issue Nov 17, 2024 · 2 comments
Closed

Backport GHSA-3xgq-45jj-v275 #165

G-Rath opened this issue Nov 17, 2024 · 2 comments

Comments

@G-Rath
Copy link

G-Rath commented Nov 17, 2024

I hate to be "that guy" but what are the chances of getting the security fix backported to at least v6? that version is still mentioned by the readme as the way to go if you need to support less than node v7, and has had ~20,060,800 downloads in the last 7 days so clearly very popular.

Ideally it would be great to have backported for v5, v4, and v3 as well but I know it's annoying to do and ideally people should be upgrading.

It looks to me like the updated regex should apply safely to at least the v6 version - please let me know if there is anything I can do to reduce the effort from you to do the backporting.

(also thanks for your work on this library - I know these can be annoying to deal with, especially these kind of vulnerabilities which tend to only be exploitable in very rare situations; sadly for security compliance reasons we've got to get these patched regardless which is why having a backport or two would help greatly)

@satazor
Copy link
Contributor

satazor commented Nov 18, 2024

cross-spawn@6.0.6 was published with the backport

@satazor satazor closed this as completed Nov 18, 2024
@G-Rath
Copy link
Author

G-Rath commented Nov 18, 2024

amazing thanks @satazor - I've made github/advisory-database#5021 updating the advisory to reflect that

huge thanks again and ❤️ for doing this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants