OS Command Injection in execa (execa@^1.0.0) #159

furqanbaqai · 2020-06-24T06:56:04Z

dependency execa@^1.0.0 has the following vulnerability reported:

Description:
Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them.

Idenfiers
Gemnasium-05cfa2e8-2d0c-42c1-8894-638e2f12ff3d

Severity
Critical

The text was updated successfully, but these errors were encountered:

kelvinlouis · 2020-09-03T13:55:22Z

Is a patch planned? This vulnerability prohibits us from publishing or package.

chrised123 · 2021-03-17T05:58:33Z

@amasad can you please approve this merge?

amasad · 2021-03-28T08:12:02Z

Hey guys, I'm not really coding anymore so can't really test and maintain this package. Anyone wants to be a maintainer? cc @stefanpenner if he has any ideas.

COScholl · 2021-06-28T02:02:53Z

sane@4.1.0 is now deprecated in favor of sane@5.0.1 using execa@4.0.0

antrew mentioned this issue Oct 1, 2020

Upgrade execa #162

Open

mikemoate mentioned this issue Oct 16, 2020

feat: replace sane with chokidar jestjs/jest#10048

Closed

christianvuerings mentioned this issue Dec 13, 2020

Use chokidar instead of sane/fb-watchman pinterest/esprint#132

Merged

COScholl closed this as completed Jun 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

OS Command Injection in execa (execa@^1.0.0) #159

OS Command Injection in execa (execa@^1.0.0) #159

furqanbaqai commented Jun 24, 2020

kelvinlouis commented Sep 3, 2020

chrised123 commented Mar 17, 2021

amasad commented Mar 28, 2021

COScholl commented Jun 28, 2021

OS Command Injection in execa (execa@^1.0.0) #159

OS Command Injection in execa (execa@^1.0.0) #159

Comments

furqanbaqai commented Jun 24, 2020

kelvinlouis commented Sep 3, 2020

chrised123 commented Mar 17, 2021

amasad commented Mar 28, 2021

COScholl commented Jun 28, 2021