[Security] Bump cross-spawn from 6.0.5 to 6.0.6 (!194) · Merge requests · tools / chat

Dependabot requested to merge dependabot-npm_and_yarn-cross-spawn-6.0.6 into master Nov 19, 2024

Bumps cross-spawn from 6.0.5 to 6.0.6. This update includes a security fix.

Vulnerabilities fixed

Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Patched versions: 6.0.6; 7.0.5
Affected versions: = 7.0.0, < 7.0.5

Changelog

Sourced from cross-spawn's changelog.

6.0.6 (2024-11-18)

Bug Fixes

disable regexp backtracking (#160) (ba5aaef)

core: support worker threads (#127) (f4af31c)

Commits

d35c865 chore(release): 6.0.6
5a37e19 chore: update package.json and package.lock
ba5aaef fix: disable regexp backtracking (#160)
f4af31c fix(core): support worker threads (#127)
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump cross-spawn from 6.0.5 to 6.0.6

6.0.6 (2024-11-18)

Bug Fixes

Merge request reports