search

jestjs / jest

Delightful JavaScript Testing.
https://jestjs.io
MIT License
44.29k stars 6.47k forks source link

[Bug]: CVE-2024-21538 jest-changed-files depends on ancient version of execa #15379

Open curtdept opened 1 week ago

curtdept commented 1 week ago

Version

29.7.0

Steps to reproduce

This started coming up in code detectors. It looks like execa wasn't modernized with the rest of the repo.

CVE-2024-21538 https://nvd.nist.gov/vuln/detail/CVE-2024-21538

Expected behavior

No CVE scan errors.

Actual behavior

CVE scan errors

Additional context

No response

Environment

System:
    OS: Linux 6.6 Ubuntu 22.04.5 LTS 22.04.5 LTS (Jammy Jellyfish)
    CPU: (12) x64 12th Gen Intel(R) Core(TM) i5-1245U
  Binaries:
    Node: 22.11.0 - ~/.nvm/versions/node/v22.11.0/bin/node
    Yarn: 1.22.22 - ~/.nvm/versions/node/v22.11.0/bin/yarn
    npm: 10.9.0 - ~/.nvm/versions/node/v22.11.0/bin/npm
    pnpm: 9.12.2 - ~/.nvm/versions/node/v22.11.0/bin/pnpm
SimenB commented 1 week ago

We might need to replace execa entirely. They moved to ESM only, which is still not viable for us, and that means we're stuck on an old version