search

vuejs / vue-cli

🛠️ webpack-based tooling for Vue.js Development
https://cli.vuejs.org/
MIT License
29.76k stars 6.33k forks source link

Security vulnerability - upgrade cli-shared-utils/node_modules/execa to version 2.0.0 or above #7407

Open MeganPaffrath opened 1 year ago

MeganPaffrath commented 1 year ago

Version

5.0.8

Environment info

Local

Steps to reproduce

I am unsure.

What is expected?

To not get vulnerability errors from our scanner.

What is actually happening?

We are getting the following vulnerability error:

Uncontrolled Search Path Element Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

The proposed solution from our scanner is to upgrade execa to version 2.0.0 or above.

Thank you for taking the time to investigate!

bilby91 commented 1 year ago

Is there any plan to patch this vulnerable dependency ?

jeffreyrubi commented 1 year ago

I see there are two dependencies on a vulnerable version of execa:

Screenshot 2023-08-16 at 3 37 57 PM

Krishna7852 commented 1 year ago

I've come across the same vulnerability error related to execa. Is there any plan in place for fixing this issue?

Your assistance or any updates on this matter would be greatly appreciated.