Please bump cross-spawn dependency to ^7.0.6 to fix npm audit failure due to CVE-2024-21538 - Githubissues

hashicorp / terraform-cdk

Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform

https://www.terraform.io/cdktf

Mozilla Public License 2.0

4.89k stars 456 forks source link

Please bump cross-spawn dependency to ^7.0.6 to fix npm audit failure due to CVE-2024-21538 #3779

Open NathZ1 opened 1 week ago

NathZ1 commented 1 week ago

Expected Behavior

npm audit passes with 0 vulnerabilities

Actual Behavior

npm audit fails with 7 high severity vulnerabilities

Steps to Reproduce

npm install or npm audit

Versions

language: typescript node: 20.11.1 cdktf: 0.20.10 cdktf-cli: 0.20.10

Providers

No response

Gist

No response

Possible Solutions

No response

Workarounds

No response

Anything Else?

No response

References

No response

Help Wanted

[ ] I'm interested in contributing a fix myself

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

yeoffrey commented 2 days ago

I think #3765 has to be merged. Would like to get this fixed :)

BeniRupp commented 1 day ago

@yeoffrey, the mentioned PR will just upgrade the @types/node packages. Your proposed changes of cross-spawn are not part of the PR anymore.

dhanushkakottegoda commented 1 day ago

If I am not mistaken this is already fixed : https://github.com/hashicorp/terraform-cdk/blob/main/packages/cdktf-cli/package.json#L52 and just needs a release?

When can we expect the next release?