Upgrade cross-spawn Dependency to Address Security Vulnerability (ReDoS)

[DariiaNikolaieva]

pre-commit/package.json

Line 33 in a84bdc8

"cross-spawn": "^5.0.1",

Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Details of the issue:

Package: cross-spawn
Current version: ^5.0.1
Vulnerable versions: <7.0.5
Fixed version: >=7.0.5
Impact: Increased CPU usage or crash due to ReDoS

[yanoandri]

Hi, are there any updates for this issues?

[inca]

I'm happy to take ownership or co-author the fix if you're interested.

[ulric4690]

I think this project need new owner

[Tofandel]

NPM really needs a "disregard CVE" feature.. Are you really going to let your production project and it's users direct access to commit on your project or let them execute unsanitized commands with cross-spawn ? If you do, you have other things to worry about than ReDos, I don't know why it's even rated high in cross-spawn. There is no logic to the CVE rating in NPM

While it would be nice to upgrade, this is not a real vulnerability

[inca]

@Tofandel As much as I agree with everything that you wrote, the last commit on this repo was 6 years ago, everything is left unanswered, PRs and requests to collaborate or transfer ownership are ignored — all of this is just uncool, simply speaking.

(I mean, I myself have a history of abandoning the open source projects that outlived their purposes, but the very least I could do is to update the README to include This is no longer maintained, please consider the following alternatives for those few folks who trusted my humble contributions to OSS).

[greim]

Heads up, looks like @fastify/pre-commit is a fork which has been updated as recently as a month ago (as of this comment).

https://github.com/fastify/pre-commit