chore(deps): update cross-spawn to v7.0.6
#6605
Conversation
dargmuesli
force-pushed
the
chore/deps/cross-spawn
branch
from
ae077c7 to
7f6fc35
Compare
There was a problem hiding this comment.
Based on moxystudio/node-cross-spawn#160 this seems unlikely to be an issue we should be concerned about.
including all transitive dependencies
That's unnecessary.
.yarn/versions/2f387047.yml
Outdated
| releases: | ||
| "@yarnpkg/builder": patch | ||
| "@yarnpkg/cli": patch | ||
| "@yarnpkg/core": patch | ||
| "@yarnpkg/doctor": patch | ||
| "@yarnpkg/extensions": patch | ||
| "@yarnpkg/nm": patch | ||
| "@yarnpkg/plugin-compat": patch | ||
| "@yarnpkg/plugin-constraints": patch | ||
| "@yarnpkg/plugin-dlx": patch | ||
| "@yarnpkg/plugin-essentials": patch | ||
| "@yarnpkg/plugin-exec": patch | ||
| "@yarnpkg/plugin-file": patch | ||
| "@yarnpkg/plugin-git": patch | ||
| "@yarnpkg/plugin-github": patch | ||
| "@yarnpkg/plugin-http": patch | ||
| "@yarnpkg/plugin-init": patch | ||
| "@yarnpkg/plugin-interactive-tools": patch | ||
| "@yarnpkg/plugin-link": patch | ||
| "@yarnpkg/plugin-nm": patch | ||
| "@yarnpkg/plugin-npm": patch | ||
| "@yarnpkg/plugin-npm-cli": patch | ||
| "@yarnpkg/plugin-pack": patch | ||
| "@yarnpkg/plugin-patch": patch | ||
| "@yarnpkg/plugin-pnp": patch | ||
| "@yarnpkg/plugin-pnpm": patch | ||
| "@yarnpkg/plugin-stage": patch | ||
| "@yarnpkg/plugin-typescript": patch | ||
| "@yarnpkg/plugin-version": patch | ||
| "@yarnpkg/plugin-workspace-tools": patch | ||
| "@yarnpkg/pnpify": patch | ||
| "@yarnpkg/sdks": patch | ||
| "@yarnpkg/shell": patch |
There was a problem hiding this comment.
Only need a patch release on core, shell, and the cli.
dargmuesli
force-pushed
the
chore/deps/cross-spawn
branch
from
7f6fc35 to
3798ef8
Compare
I'd argue it's necessary as without updating |
|
Thanks for the PR but I'll close this since it isn't a vulnerability we need to worry about and with #6606 merged and released consumers of the npm packages can get the patched version of cross-spawn. |
What's the problem this PR addresses?
There's a Regular Expression Denial of Service (ReDoS) in cross-spawn >= 7.0.0, < 7.0.5; < 6.0.6
How did you fix it?
Update
cross-spawnto v7.0.6, including all transitive dependenciesChecklist
I have read the Contributing Guide.
I have set the packages that need to be released for my changes to be effective.
I will check that all automated PR checks pass before the PR gets reviewed.