chore: unlock cross-spawn range

lswith commented 1 week ago

cross-spawn has a vulnerability https://github.com/moxystudio/node-cross-spawn/issues/167.

This should allow the latest version of the cross-spawn package to work.

What's the problem this PR addresses?

...

How did you fix it?

...

Checklist

[x] I have read the Contributing Guide.

[x] I have set the packages that need to be released for my changes to be effective.

[x] I will check that all automated PR checks pass before the PR gets reviewed.

mjdavidson commented 4 days ago

hey @merceyz do you know when this will be merged?

yermulnik commented 4 days ago

Apologies for the dumb question as I'm not familiar with npm at all; do I get it right that this PR should fix the below npm atdit report?

# npm audit report

cross-spawn  7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix --force`
Will install renovate@22.22.3, which is a breaking change
node_modules/cross-spawn
  @yarnpkg/core  *
  Depends on vulnerable versions of @yarnpkg/shell
  Depends on vulnerable versions of cross-spawn
  node_modules/@yarnpkg/core
    renovate  0.0.0-semantic-release || 22.22.0 - 22.22.2 || >=22.[23](https://github.com/super-linter/super-linter/actions/runs/11959522598/job/33342323914?pr=6379#step:5:24).0
    Depends on vulnerable versions of @yarnpkg/core
    node_modules/renovate
  @yarnpkg/shell  *
  Depends on vulnerable versions of cross-spawn
  node_modules/@yarnpkg/shell

4 high severity vulnerabilities

If yes, then could you please give a hint on when @yarnpkg/core is going to pick this update up and get a new release cut? Thanks.

The other PR to fix the same vuln (just linking for visibility): https://github.com/yarnpkg/berry/pull/6605

merceyz commented 4 days ago

Note that this isn't an issue you should be worried about. When a package can pass arguments to cross-spawn why go for a ReDoS when it has shell access.

do I get it right that this PR should fix the below npm atdit report?

Maybe, it unlocks the SemVer range so you can pick up the patched version.

If yes, then could you please give a hint on when @yarnpkg/core is going to pick this update up and get a new release cut?

I've created a new release now.

yermulnik commented 4 days ago

Note that this isn't an issue you should be worried about.

And I'm not =) But the required check fails because of the npm audit for the linked PR I created in another repo 🤷🏻

If yes, then could you please give a hint on when @yarnpkg/core is going to pick this update up and get a new release cut?

I've created a new release now.

Thank you.

yarnpkg / berry