Package dependence in prisma-cli-core now have CVE security problem

[Aries0d0f]

Describe the bug
npm-run@4.1.2 is a dependence package in prisma-cli-core, and npm-run@4.1.2 has dependence sync-exec@0.6.2 which CVE-2017-16024 be found.

Expected behavior
Upgrade dependence to npm-run@5.0.1 which is already remove package sync-exec from it's dependences.

Versions (please complete the following information):

• Connector: Postgres
• Prisma Server: 1.28.3
• prisma CLI: prisma@1.28.3 (darwin-x64) node-v11.7.0]
• OS: OS X Mojave

[pantharshit00]

Hi @Aries0d0f

Thanks for reporting this. We were unaware of the fact that npm-run have removed this dependency. We will try to include this dependency upgrade in the next release.

Right now, I will be closing this as a duplicate of #3723

cc @divyenduz

[pantharshit00]

Ok, just remembered why we were holding this. npm-run 5.0.1 breaks windows support. I think we can publish a package in our own namespace now including timoxley/npm-run#21 as the package maintainers don't seem to be maintaining it.

[pantharshit00]

I have published @harshitpant/npm-run that includes timoxley/npm-run#21 and made a PR that will fix this #4187