[Security] Bump cross-spawn from 7.0.3 to 7.0.5 (!45) · Merge requests · tools / infra / zeroscale

Dependabot requested to merge dependabot-npm_and_yarn-cross-spawn-7.0.5 into master Nov 16, 2024

Bumps cross-spawn from 7.0.3 to 7.0.5. This update includes a security fix.

Vulnerabilities fixed

Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Patched versions: 7.0.5
Affected versions: < 7.0.5

Changelog

Sourced from cross-spawn's changelog.

7.0.5 (2024-11-07)

Bug Fixes

fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

disable regexp backtracking (#160) (5ff3a07)

Commits

0852683 chore(release): 7.0.5
640d391 fix: fix escaping bug introduced by backtracking
bff0c87 chore: remove codecov
a7c6abc chore: replace travis with github workflows
9b9246e chore(release): 7.0.4
5ff3a07 fix: disable regexp backtracking (#160)
9521e2d chore: fix tests in recent node js versions
97ded39 chore: convert package lock
d52b6b9 chore: remove unused argument (#156)
5d84384 chore: add travis jobs on ppc64le (#142)
Additional commits viewable in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump cross-spawn from 7.0.3 to 7.0.5

7.0.5 (2024-11-07)

Bug Fixes

7.0.4 (2024-11-07)

Bug Fixes

Merge request reports