Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: CVE-2024-21538 upgrading the indirect dep cross-spawn to greater than 7.0.5 #21259

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

nmirasch
Copy link

This PR fixes CVE-2024-21538 by upgrading the indirect dependency of the package cross-spawn regarding before 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS) due to improper input sanitization.
To achieve this update:

  • Update eslint to "^9.15.0"
  • eslint-plugin-react to "^7.37.2"
  • removed the use of jest-transform-css, regarding there isn't a release that supports a version newer than 7.0.3 and updated accordingly the jest.config.js for that purpose

The dependency after this fix:

~/github/argo-cd/ui> npm ls cross-spawn
├─┬ [email protected]
│ └── [email protected]
└─┬ [email protected]
  └─┬ [email protected]
    └── [email protected] deduped

Checklist:

  • Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
  • The title of the PR states what changed and the related issues number (used for the release note).
  • The title of the PR conforms to the Toolchain Guide
  • I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
  • I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
  • Does this PR require documentation updates?
  • I've updated documentation as required by this PR.
  • I have signed off all my commits as required by DCO
  • I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
  • My build is green (troubleshooting builds).
  • My new feature complies with the feature status guidelines.
  • I have added a brief description of why this PR is necessary and/or what this PR solves.
  • Optional. My organization is added to USERS.md.
  • Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

@nmirasch nmirasch requested a review from a team as a code owner December 19, 2024 10:58
Copy link

bunnyshell bot commented Dec 19, 2024

🔴 Preview Environment stopped on Bunnyshell

See: Environment Details | Pipeline Logs

Available commands (reply to this comment):

  • 🔵 /bns:start to start the environment
  • 🚀 /bns:deploy to redeploy the environment
  • /bns:delete to remove the environment

@nmirasch nmirasch force-pushed the CVE-2024-21538_master branch from 7577d6b to 5d25432 Compare December 23, 2024 10:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant