search

mysticatea / npm-run-all

A CLI tool to run multiple npm-scripts in parallel or sequential.
MIT License
5.72k stars 240 forks source link

dependency shell-quote CVE-2021-42740 #235

Open robmaas opened 2 years ago

robmaas commented 2 years ago

Please upgrade npm package shell-quote to 1.7.3+ to patch https://github.com/advisories/GHSA-g4rg-993r-mgx7

Etheryte commented 2 years ago

Until the package gets updated, you can use Yarn's resolutions or npm's overrides to override the dependency. For example for Yarn: 

{
  "devDependencies": {
    "npm-run-all": "4.1.5"
  },
  "resolutions": {
    "shell-quote": "1.7.3"
  }
}