Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in transitive execa dependency #54

Closed
gitLinda opened this issue Sep 9, 2024 · 4 comments · Fixed by #72
Closed

Vulnerability in transitive execa dependency #54

gitLinda opened this issue Sep 9, 2024 · 4 comments · Fixed by #72

Comments

@gitLinda
Copy link

gitLinda commented Sep 9, 2024
edited
Loading

Hi,

We are using the @swc/cli which brings in a very old version of execa from transitive dependencies. This execa version contains a "Uncontrolled Search Path Element" vulnerability.

image

bin-check seems to be not maintained anymore, but there is a fork of available: see this issue.
Unfortunately @mole-inc/bin-wrapper seems unmaintained as well.

A fix would be very appreciated.
kdy1 added a commit that referenced this issue Oct 22, 2024
@kdy1
chore: Use faster postgres (#54)
346e146
kdy1 added a commit that referenced this issue Oct 22, 2024
@kdy1
chore: Use faster postgres (#54)
fdc56be
@rrushextern
Copy link

Hi there,

We're facing the same issue with the package. Any updates on this?

@kdy1 kdy1 self-assigned this Oct 30, 2024
@kdy1
Copy link
Member

kdy1 commented Nov 4, 2024

This issue cannot be exploited considering the code of @swc/cli

@kdy1 kdy1 removed their assignment Nov 4, 2024
@gitLinda
Copy link
Author

gitLinda commented Nov 4, 2024

Hi @kdy1 it would still be nice to fix it since it shows up all the time in security reports

@kdy1
Copy link
Member

kdy1 commented Nov 4, 2024

I'll happily accept a PR

@strmer15 strmer15 mentioned this issue Nov 18, 2024
Merged
@kdy1 kdy1 closed this as completed in #72 Nov 19, 2024
@kdy1 kdy1 closed this as completed in aaec3de Nov 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

@swc/cli: Switch to using @xhmikosr/bin-wrapper strmer15/swc-pkgs
3 participants
@gitLinda @kdy1 @rrushextern