Vulnerability in transitive execa dependency

swc-project / pkgs

node.js packages for SWC

59 stars 19 forks source link

Vulnerability in transitive execa dependency #54

Open gitLinda opened 2 months ago

gitLinda commented 2 months ago

Hi,

We are using the @swc/cli which brings in a very old version of execa from transitive dependencies. This execa version contains a "Uncontrolled Search Path Element" vulnerability.

bin-check seems to be not maintained anymore, but there is a fork of available: see this issue. Unfortunately @mole-inc/bin-wrapper seems unmaintained as well.

A fix would be very appreciated.

rrushextern commented 1 week ago

Hi there,

We're facing the same issue with the package. Any updates on this?

kdy1 commented 1 week ago

This issue cannot be exploited considering the code of @swc/cli

gitLinda commented 1 week ago

Hi @kdy1 it would still be nice to fix it since it shows up all the time in security reports

kdy1 commented 1 week ago

I'll happily accept a PR