chore: maintenance october 2024

[aldy505]

No description provided.

[github-actions]

Here are the results of the [Semgrep](https://semgrep.dev/docs/getting-started/quickstart-oss/) scan (last updated: October 27, 2024 at 12:44:02 UTC):

                   
                   
┌─────────────────┐
│ 6 Code Findings │
└─────────────────┘
                  
    rce/Dockerfile
   ❯❯❱ dockerfile.security.missing-user.missing-user
          By not specifying a USER, a program in the container may run as 'root'. This is a security hazard.
          If an attacker can control a process running as root, they may have control over the container.   
          Ensure that the last USER in a Dockerfile is a USER other than 'root'.                            
          Details: https://sg.run/Gbvn                                                                      
                                                                                                            
           ▶▶┆ Autofix ▶ USER non-root CMD ["node", "./dist/index.js"]
           40┆ CMD ["node", "./dist/index.js"]
                           
    rce/scripts/install.cjs
   ❯❯❱ javascript.lang.security.audit.spawn-shell-true.spawn-shell-true
          Found '$SPAWN' with '{shell: true}'. This is dangerous because this call will spawn the command     
          using a shell process. Doing so propagates current shell settings and variables, which makes it much
          easier for a malicious actor to execute commands. Use '{shell: false}' instead.                     
          Details: https://sg.run/Wgeo                                                                        
                                                                                                              
           38┆ const cmd = cp.spawn(command, {
           39┆    cwd: workingDirectory,
           40┆    env: {
           41┆            ...process.env,
           42┆            ...env,
           43┆            PATH:
           44┆                    "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:" +
           45┆                    env.PATH,
           46┆    },
           47┆    maxBuffer: 1024 * 500,
             [hid 3 additional lines, adjust with --max-lines-per-finding] 
   
   ❯❯❱ javascript.lang.security.detect-child-process.detect-child-process
          Detected calls to child_process from a function argument `command`. This could lead to a command
          injection if the input is user controllable. Try to avoid calls to child_process, and if it is  
          needed ensure user input is correctly sanitized or sandboxed.                                   
          Details: https://sg.run/l2lo                                                                    
                                                                                                          
           38┆ const cmd = cp.spawn(command, {
                                  
    rce/scripts/register-users.cjs
   ❯❯❱ javascript.lang.security.detect-child-process.detect-child-process
          Detected calls to child_process from a function argument `command`. This could lead to a command
          injection if the input is user controllable. Try to avoid calls to child_process, and if it is  
          needed ensure user input is correctly sanitized or sandboxed.                                   
          Details: https://sg.run/l2lo                                                                    
                                                                                                          
           17┆ const cmd = cp.exec(command, { cwd: workingDirectory }, (error) => {
                      
    rce/src/job/job.ts
    ❯❱ javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
          Detected possible user input going into a `path.join` or `path.resolve` function. This could   
          possibly lead to a path traversal vulnerability,  where the attacker can access arbitrary files
          stored in the file system. Instead, be sure to sanitize or validate user input first.          
          Details: https://sg.run/OPqk                                                                   
                                                                                                         
          235┆ return fs.rm(path.join(this._baseFilePath, file), {
   
   ❯❯❱ javascript.lang.security.detect-child-process.detect-child-process
          Detected calls to child_process from a function argument `command`. This could lead to a command
          injection if the input is user controllable. Try to avoid calls to child_process, and if it is  
          needed ensure user input is correctly sanitized or sandboxed.                                   
          Details: https://sg.run/l2lo                                                                    
                                                                                                          
          269┆ const cmd = childProcess.spawn(command[0], command.slice(1), {