[BUG] Cross Spawn Has A high Severity vulnerability #7916
Closed
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
npm warn audit fix cross-spawn@7.0.3 node_modules/npm/node_modules/cross-spawn
npm warn audit fix cross-spawn@7.0.3 is a bundled dependency of
npm warn audit fix cross-spawn@7.0.3 npm@10.9.0 at node_modules/npm
npm warn audit fix cross-spawn@7.0.3 It cannot be fixed automatically.
npm warn audit fix cross-spawn@7.0.3 Check for updates to the npm package.
up to date, audited 1158 packages in 2s
167 packages are looking for funding
run `npm fund` for details
# npm audit report
cross-spawn <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - https://github.com/advisories/GHSA-3xgq-45jj-v275
fix available via `npm audit fix`
node_modules/npm/node_modules/cross-spawn
1 high severity vulnerability
To address all issues, run:
npm audit fix
FAIL: 1Expected Behavior
Should Fix this vulnerability
Steps To Reproduce
- In this environment https://github.com/RebackkHQ/webapp-scanner
- Run
npm audit fix - See error
Environment
- npm: 10.9.0
- Node.js: 22.11.0
- OS Name: MacOS
- System Model Name: Macbook Air M1
- npm config:
; "user" config from /Users/sarwagya/.npmrc
@NAMESPACE:registry = "https://npm.pkg.github.com/"
//npm.pkg.github.com/:_authToken = (protected)
//registry.npmjs.org/:_authToken = (protected)
python = "python2.7.16"
; node bin location = /usr/local/bin/node
; node version = v22.11.0
; npm local prefix = /Users/sarwagya/Desktop/Projects/webapp-scanner
; npm version = 10.9.0
; cwd = /Users/sarwagya/Desktop/Projects/webapp-scanner
; HOME = /Users/sarwagya
; Run `npm config ls -l` to show all defaults.
; "publishConfig" from /Users/sarwagya/Desktop/Projects/webapp-scanner/package.json
; This set of config values will be used at publish-time.
access = "public"