Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade execa dependency to reduce security risk #358

Open
whaber opened this issue Jul 20, 2020 · 2 comments
Open

Upgrade execa dependency to reduce security risk #358

whaber opened this issue Jul 20, 2020 · 2 comments
Labels
security security stuffs

Comments

@whaber
Copy link
Contributor

whaber commented Jul 20, 2020

Project depends on 0.7.0 which has a vulnerability (OS Command Injection in execa)

Upgrade dependency to latest version https://www.npmjs.com/package/execa/v/4.0.3
@veeara282 veeara282 added the security security stuffs label Jul 23, 2020
@veeara282
Copy link
Contributor

veeara282 commented Jul 29, 2020
edited
Loading

This was identified by GitLab, so NPM can't create an advisory for it due to copyright. I say we should still see where execa is used in this app and make sure the vulnerability can't be exploited.

From the GitLab advisory:

Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them.

We should be able to resolve this by upgrading to 2.0.0 or later.

@dylanbutler dylanbutler mentioned this issue Aug 26, 2020
Closed
@colbymorrison
Copy link
Contributor

Execa is not used by any of our direct dependencies, only dev-dependencies. So, this is not an urgent issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security security stuffs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@veeara282 @colbymorrison @whaber