Skip to content

Commit

Permalink
fix: override transitive test dep f/ high vuln (cross-spawn) (#496)
Browse files Browse the repository at this point in the history 
## Description

Force the transitive test dep to use the non-vuln version of
`cross-spawn`.

Cuz I saw this when I tried to build today:
```bash
workstation-ubuntu2404:~/workspace/kubernetes-fluent-client$ npm audit
# npm audit report

cross-spawn  7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/npm/node_modules/cross-spawn

1 high severity vulnerability

To address all issues, run:
  npm audit fix
```
```bash
workstation-ubuntu2404:~/workspace/kubernetes-fluent-client$ npm ls cross-spawn
[email protected] /home/user/workspace/kubernetes-fluent-client
├─┬ @kubernetes/[email protected]
│ └─┬ [email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └─┬ [email protected]
│         └─┬ [email protected]
│           └── [email protected] deduped
├─┬ @typescript-eslint/[email protected]
│ └─┬ [email protected]
│   └── [email protected]
├─┬ [email protected]
│ └─┬ @jest/[email protected]
│   └─┬ [email protected]
│     └─┬ [email protected]
│       └── [email protected] deduped
├─┬ [email protected]
│ └─┬ [email protected]
│   └── [email protected] deduped
└─┬ [email protected]                      <-- our devDep (which is already at latest)
  ├─┬ @semantic-release/[email protected]
  │ ├─┬ [email protected]
  │ │ └── [email protected] deduped
  │ └─┬ [email protected]
  │   └─┬ [email protected]
  │     └─┬ [email protected]
  │       └── [email protected]                   <-- the "problem"
  ├─┬ [email protected]
  │ └─┬ [email protected]
  │   └── [email protected] deduped
  └─┬ [email protected]
    └── [email protected] deduped
```

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [ ] Test, docs, adr added or updated as needed
- [ ] [Contributor Guide
Steps](https://docs.pepr.dev/main/contribute/#submitting-a-pull-request)
followed
  • Loading branch information
@btlghrants
btlghrants authored Dec 2, 2024
1 parent 015e9e5 commit dfd6068
Show file tree
Hide file tree
Showing 2 changed files with 2,909 additions and 2,069 deletions.
Loading

0 comments on commit dfd6068

Please sign in to comment.