[BUG] CVE-2024-21538 - cross-spawn to 7.0.5+
Problem
Is there an existing issue for this? - [X] I have searched the existing issues This issue exists in the latest npm version - [X] I am using the latest npm Current Behavior @wraithgar Since we cannot create updates of bundled node_modules, could you please bump the `cross-spawn` to 7.0.5 or higher? https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 Expected Behavior _No response_ Steps To Reproduce 1. In this environment... 2. With this config... 3. Run '...' 4. See error... Environment - npm: - Node.js: - OS Name: - System Model Name: - npm config: [code block]
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Upgrade cross-spawn to version 7.0.5 or higher
The vulnerability CVE-2024-21538 affects versions of the 'cross-spawn' package below 7.0.5. This vulnerability can lead to security risks in applications that rely on this package for spawning child processes. The current version in use is outdated and does not include the necessary security patches.
Awaiting Verification
Be the first to verify this fix
- 1
Check current version of cross-spawn
Verify the currently installed version of the 'cross-spawn' package in your project to confirm it is below 7.0.5.
bashnpm list cross-spawn - 2
Update cross-spawn package
Run the following command to update 'cross-spawn' to the latest version, which should be 7.0.5 or higher.
bashnpm install cross-spawn@^7.0.5 - 3
Verify the update
After updating, check the version again to ensure it has been upgraded successfully to 7.0.5 or higher.
bashnpm list cross-spawn - 4
Run tests
Execute your application's test suite to ensure that the upgrade does not introduce any breaking changes.
bashnpm test
Validation
Confirm that the installed version of 'cross-spawn' is 7.0.5 or higher and that all tests pass without errors. Additionally, check for any security warnings related to 'cross-spawn' using 'npm audit'.
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep