marty-media/server
1
0
Fork 0
Code Issues 9 Pull requests 10 Projects Releases 75 Packages Wiki Activity Actions

chore: [security] bump cross-spawn from 7.0.3 to 7.0.6 #342

Merged
martinr92 merged 1 commit from dependabot-npm_and_yarn-develop-cross-spawn-7.0.6 into develop 2024-12-15 10:41:19 +00:00
Conversation 4 Commits 1 Files changed 1 +6 -6
martinr92 commented 2024-12-02 18:15:12 +00:00 (Migrated from gitlab.com)
Copy link

Bumps cross-spawn from 7.0.3 to 7.0.6. This update includes a security fix.

Vulnerabilities fixed

Regular Expression Denial of Service (ReDoS) in cross-spawn
Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.

Patched versions: 6.0.6; 7.0.5
Affected versions: = 7.0.0, < 7.0.5

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

  • update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

  • fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

Commits
  • 77cd97f chore(release): 7.0.6
  • 6717de4 chore: upgrade standard-version
  • f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
  • 9a7e3b2 chore: fix build status badge
  • 0852683 chore(release): 7.0.5
  • 640d391 fix: fix escaping bug introduced by backtracking
  • bff0c87 chore: remove codecov
  • a7c6abc chore: replace travis with github workflows
  • 9b9246e chore(release): 7.0.4
  • 5ff3a07 fix: disable regexp backtracking (#160)
  • Additional commits viewable in compare view

Bumps [cross-spawn](https://github.com/moxystudio/node-cross-spawn) from 7.0.3 to 7.0.6. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Regular Expression Denial of Service (ReDoS) in cross-spawn</strong><br /> Versions of the package cross-spawn before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization. An attacker can increase the CPU usage and crash the program by crafting a very large and well crafted string.</p> <p>Patched versions: 6.0.6; 7.0.5<br /> Affected versions: <!-- raw HTML omitted -->= 7.0.0, &lt; 7.0.5</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md">cross-spawn's changelog</a>.</em></p> <blockquote> <h3><a href="https://github.com/moxystudio/node-cross-spawn/compare/v7.0.5...v7.0.6">7.0.6</a> (2024-11-18)</h3> <h3>Bug Fixes</h3> <ul> <li>update cross-spawn version to 7.0.5 in package-lock.json (<a href="https://github.com/moxystudio/node-cross-spawn/commit/f700743918d901eff92960e15a8dd68f87bd4176">f700743</a>)</li> </ul> <h3><a href="https://github.com/moxystudio/node-cross-spawn/compare/v7.0.4...v7.0.5">7.0.5</a> (2024-11-07)</h3> <h3>Bug Fixes</h3> <ul> <li>fix escaping bug introduced by backtracking (<a href="https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f">640d391</a>)</li> </ul> <h3><a href="https://github.com/moxystudio/node-cross-spawn/compare/v7.0.3...v7.0.4">7.0.4</a> (2024-11-07)</h3> <h3>Bug Fixes</h3> <ul> <li>disable regexp backtracking (<a href="https://github.com/moxystudio/node-cross-spawn/issues/160">#160</a>) (<a href="https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff">5ff3a07</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/77cd97f3ca7b62c904a63a698fc4a79bf41977d0"><code>77cd97f</code></a> chore(release): 7.0.6</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/6717de49ff1e5de49622488dcb9c33fb25370c85"><code>6717de4</code></a> chore: upgrade standard-version</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/f700743918d901eff92960e15a8dd68f87bd4176"><code>f700743</code></a> fix: update cross-spawn version to 7.0.5 in package-lock.json</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/9a7e3b2165917367f74b8365faad9873b30d7263"><code>9a7e3b2</code></a> chore: fix build status badge</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/085268352dcbcad8064c64c5efb25268b4023184"><code>0852683</code></a> chore(release): 7.0.5</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/640d391fde65388548601d95abedccc12943374f"><code>640d391</code></a> fix: fix escaping bug introduced by backtracking</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/bff0c87c8b627c4e6d04ec2449e733048bebb464"><code>bff0c87</code></a> chore: remove codecov</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/a7c6abc6fee79641d45b452fe6217deaa1bd0973"><code>a7c6abc</code></a> chore: replace travis with github workflows</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/9b9246e0969e86656d7ccd527716bc3c18842a19"><code>9b9246e</code></a> chore(release): 7.0.4</li> <li><a href="https://github.com/moxystudio/node-cross-spawn/commit/5ff3a07d9add449021d806e45c4168203aa833ff"><code>5ff3a07</code></a> fix: disable regexp backtracking (<a href="https://github.com/moxystudio/node-cross-spawn/issues/160">#160</a>)</li> <li>Additional commits viewable in <a href="https://github.com/moxystudio/node-cross-spawn/compare/v7.0.3...v7.0.6">compare view</a></li> </ul> </details> <br />
martinr92 commented 2024-12-02 18:15:13 +00:00 (Migrated from gitlab.com)
Copy link

assigned to @martinr92

assigned to @martinr92
martinr92 commented 2024-12-02 18:19:55 +00:00 (Migrated from gitlab.com)
Copy link

SonarQube Cloud Code Analysis

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

## SonarQube Cloud Code Analysis ## Quality Gate passed Issues ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 New issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=318&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/accepted.svg '') [0 Accepted issues](https://sonarcloud.io/project/issues?id=marty-media_server&pullRequest=318&issueStatuses=ACCEPTED) Measures ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=marty-media_server&pullRequest=318&issueStatuses=OPEN,CONFIRMED&sinceLeakPeriod=true) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Coverage on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=318&metric=new_coverage&view=list) ![](https://sonarsource.github.io/sonarcloud-github-static-resources/v2/common/passed.svg '') [0.0% Duplication on New Code](https://sonarcloud.io/component_measures?id=marty-media_server&pullRequest=318&metric=new_duplicated_lines_density&view=list) [See analysis details on SonarQube Cloud](https://sonarcloud.io/dashboard?id=marty-media_server&pullRequest=318)
martinr92 (Migrated from gitlab.com) merged commit into develop 2024-12-15 10:41:19 +00:00
martinr92 commented 2024-12-15 13:33:24 +00:00 (Migrated from gitlab.com)
Copy link

🎉 This MR is included in version 0.5.6-beta.1 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.5.6-beta.1 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.5.6-beta.1). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket:
martinr92 commented 2024-12-22 12:32:44 +00:00 (Migrated from gitlab.com)
Copy link

🎉 This MR is included in version 0.5.6 🎉

The release is available on GitLab release.

Your semantic-release bot 📦 🚀

:tada: This MR is included in version 0.5.6 :tada: The release is available on [GitLab release](https://gitlab.com/marty-media/server/-/releases/v0.5.6). Your **[semantic-release](https://github.com/semantic-release/semantic-release)** bot :package: :rocket:
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

   
confirmed

   
critical

   
dependencies
Pull requests that update a dependency file

  
discussion

   
docker

   
documentation

   
enhancement

   
go

   
javascript

   
security
Pull requests that address a security vulnerability

  
severity:high

   
severity:low

   
severity:moderate

   
suggestion

   
support
No labels
bug
confirmed
critical
dependencies
discussion
docker
documentation
enhancement
go
javascript
security
severity:high
severity:low
severity:moderate
suggestion
support
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
marty-media/server!342
No description provided.