CVE-2021-42740 (Critical vulnerability) on shell-quote (dependency package)

[Rashmi-nw]

Hi, We are using npm-run-all in our project

We have started seeing CVE-2021-42740 vulnerability(Critical) from npm-run-all as it has got a dependency onshell-quote package.

As a quick fix - we have upgraded the shell-quote version to 1.7.3 in resolutions. It would be great if you could update the version of shell-quote. Happy to create a PR, if required so that it can be released sooner.

[jmayormi]

Yes, please update shell-quote, SysDig VULNDB-271474, a flaw that is triggered as shell metacharacters are nor properly filtered...

[ericcornelissen]

I don't think anything needs to happen from the side of npm-run-all, the non-vulnerable version of shell-quote is compatible with npm-run-all and will be used if either A) you installed npm-run-all after the non-vulnerable version of shell-quote was released, or B) you run npm audit fix (or npm update shell-quote; this is required in case npm audit doesn't complain about shell-quote for you).

Also, if you're using npm-run-all for its intended purpose I'd say this vulnerability doesn't apply. An attacker controlling the input of npm-run-all already has remote code execution anyway.