[Security] Bump cross-spawn from 7.0.3 to 7.0.6 (!544) · Merge requests · Données et territoires / Générateur de fiches territoriales

Ghost User requested to merge dependabot-npm_and_yarn-cross-spawn-7.0.6 into main Nov 19, 2024

Bumps cross-spawn from 7.0.3 to 7.0.6. This update includes a security fix.

Vulnerabilities fixed

Regular Expression Denial of Service (ReDoS) in cross-spawn Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Patched versions: 7.0.5 Affected versions: >= 7.0.0, < 7.0.5

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

disable regexp backtracking (#160) (5ff3a07)

Commits

77cd97f chore(release): 7.0.6
6717de4 chore: upgrade standard-version
f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
9a7e3b2 chore: fix build status badge
0852683 chore(release): 7.0.5
640d391 fix: fix escaping bug introduced by backtracking
bff0c87 chore: remove codecov
a7c6abc chore: replace travis with github workflows
9b9246e chore(release): 7.0.4
5ff3a07 fix: disable regexp backtracking (#160)
Additional commits viewable in compare view

[Security] Bump cross-spawn from 7.0.3 to 7.0.6

7.0.6 (2024-11-18)

Bug Fixes

7.0.5 (2024-11-07)

Bug Fixes

7.0.4 (2024-11-07)

Bug Fixes

Merge request reports