Skip to content
This repository has been archived by the owner on Jan 18, 2024. It is now read-only.

Npm package Vulnerability in tree-kill for windows machines #2004

Closed
arash-a2k opened this issue Apr 26, 2020 · 1 comment
Closed

Npm package Vulnerability in tree-kill for windows machines #2004

arash-a2k opened this issue Apr 26, 2020 · 1 comment

Comments

@arash-a2k
Copy link

Description

npm dependency Volnerability
expo-cli > @expo/xdl > tree-kill

Expected Behavior

Not having Volnerable dependencies

│ High          │ Command Injection                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ tree-kill                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=1.2.2                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ expo-cli                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ expo-cli > @expo/xdl > tree-kill                             │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1432
@brentvatne
Copy link
Member

i suggest reading the advisory, this is indeed a vulnerability in certain situations (if you run this on a server and pass in arbitrary user generated content to tree-kill) but in the context that expo-cli runs in it is not. that said, this was an easy fix so i went ahead and updated it, it'll go out in the next release

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brentvatne @arash-a2k