[Security] Bump cross-spawn from 6.0.5 to 6.0.6 (!194) · Merge requests · tools / chat · GitLab

Snippets Groups Projects

Merged Dependabot requested to merge dependabot-npm_and_yarn-cross-spawn-6.0.6 into master 4 months ago

Bumps cross-spawn from 6.0.5 to 6.0.6. This update includes a security fix.

Vulnerabilities fixed

Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Patched versions: 6.0.6; 7.0.5
Affected versions: = 7.0.0, < 7.0.5

Changelog

Sourced from cross-spawn's changelog.

6.0.6 (2024-11-18)

Bug Fixes

disable regexp backtracking (#160) (ba5aaef)

core: support worker threads (#127) (f4af31c)

Commits

d35c865 chore(release): 6.0.6
5a37e19 chore: update package.json and package.lock
ba5aaef fix: disable regexp backtracking (#160)
f4af31c fix(core): support worker threads (#127)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Activity

Dependabot added dependencies javascript security labels 4 months ago

added dependencies javascript security labels
Dependabot added severity:high label 4 months ago

added severity:high label
Dependabot merged 4 months ago

merged
Dependabot mentioned in commit cb04b96b 4 months ago

mentioned in commit cb04b96b

Please register or sign in to reply

0 Reviewers

None

Labels

dependencies javascript security severity:high

Milestone

None

1 Participant