search

tailwindlabs / tailwindcss

A utility-first CSS framework for rapid UI development.
https://tailwindcss.com/
MIT License
83.28k stars 4.22k forks source link

[Security] SNYK-JS-CROSSSPAWN-8303230 #14988

Closed maxdeichmann closed 1 week ago

maxdeichmann commented 1 week ago

What version of Tailwind CSS are you using?

For example: tailwindcss 3.4.14

What build tool (or framework if it abstracts the build tool) are you using?

For example: next 14.2.15

What version of Node.js are you using?

For example: v12.0.0

What browser are you using?

For example: Chrome

What operating system are you using?

For example: macOS

Reproduction URL

Describe your issue

We are faced with the SNYK-JS-CROSSSPAWN-8303230 vulnerability which occurs in cross-spawn < 7.0.5. Can you please upgrade the dependencies on your end?

https://security.snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230

RobinMalfait commented 1 week ago

Hey! These lower level dependencies typically aren't pinned, which means that you should be able to run npm update or npm audit fix.

If you install Tailwind CSS v3 from scratch, you'll notice that cross-spawn@7.0.5 is already installed (at the time of writing this) which is also the version suggested by the security report.

Steps to reproduce ```console ~/projects ❯ mkdir example-project && cd example-project ``` ```console ~/projects/example-project ❯ git init Initialized empty Git repository in ~/projects/example-project/.git/ ``` ```console ~/projects/example-project on  main ❯ npm init --yes Wrote to ~/projects/example-project/package.json: { "name": "example-project", "version": "1.0.0", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "keywords": [], "author": "Robin Malfait", "license": "ISC", "description": "" } ``` ```console ~/projects/example-project on  main ❯ npm install tailwindcss@latest added 113 packages, and audited 114 packages in 5s 29 packages are looking for funding run `npm fund` for details found 0 vulnerabilities ``` ```console ~/projects/example-project on  main ❯ npm ls cross-spawn example-project@1.0.0 ~/projects/example-project └─┬ tailwindcss@3.4.14 └─┬ sucrase@3.35.0 └─┬ glob@10.4.5 └─┬ foreground-child@3.3.0 └── cross-spawn@7.0.5 ```

That said, the pnpm-lock.yaml file is from the Tailwind CSS v4 codebase (next branch), not the v3 codebase (main branch). These lock files are not published to npm, so the update commands I mentioned earlier should just work.

Hope this helps!