[SECURITY] Bump cross-spawn, CVE-2024-21538

[agustints]

Summary

This pull request upgrades the cross-spawn dependency to version 7.0.6, addressing a high-severity security vulnerability identified as CVE-2024-21538. The upgrade ensures the application is protected against potential exploitation via a Regular Expression Denial of Service (ReDoS) attack.

---

Detailed Description

Vulnerability Details

• CVE-2024-21538:
  • Description: Versions of the cross-spawn package prior to 7.0.5 are vulnerable to a ReDoS attack. The issue arises from improper input sanitization in regular expressions, allowing attackers to craft malicious strings that significantly increase CPU usage and may lead to application crashes.
  • Severity: High (CVSS Score: 7.5)
  • Patched Versions: v7.0.5 and later

Changes Made

• Updated the cross-spawn dependency in package.json to v7.0.6.
• Ran npm install (or equivalent) to regenerate package-lock.json ensuring consistency with the updated version.

---

Impact on Codebase

• Dependencies:
  • This change updates only the cross-spawn package. No other dependencies are affected.
• Functionality:
  • There are no changes to the application logic or functionality. This is a security-focused dependency update.
• Performance:
  • Mitigates potential performance degradation caused by ReDoS attacks in prior versions.
• Security:
  • Resolves a high-severity vulnerability, enhancing the overall security posture of the application.

---

Testing & Validation

• Verified that all existing test cases pass successfully with the updated dependency.
• Manually tested core functionality relying on cross-spawn to confirm no regressions or issues.
• Reviewed the changelog for cross-spawn v7.0.6 to ensure compatibility with our current usage.

[jbreckmckye]

Would be good to get this reviewed / merged rather than relying on npm update cross-spawn

[YasharF]

Why do we need this PR? The ^ versions should already cause npm install to install the latest version of those packages. If you already had the package installed, then you can either do an npm update or just nuke node_modules and redo your npm install.

[jbreckmckye]

The ^ versions should already cause npm install to install the latest version of those packages.

@YasharF The semantics of npm install / ci are not as straightforward as that - there are situations where the resolver will prefer a lower version of a package if it is already a candidate in package-lock

[nleborgne]

Any news on this?

[YasharF]

@nleborgne

Any news on this?

The ^ versions should already include the fixed cross-spawn. To ensure your project uses the latest patched versions, update your npm packages by running either npm update --save or rm -rf package-lock.json && rm -rf node_modules && npm install. If your application breaks due to these updates, it’s important to address compatibility issues within your application to ensure it handles the latest versions appropriately.

If dependency resolution is still forcing an older, vulnerable version of cross-spawn, it’s likely caused by another package in your project. You can investigate the source by running npm ls cross-spawn to identify which package is pulling in the unpatched version. Once pinpointed, you may need to reach out to the developer of that package to address the issue.

In cases where a dependency introduces an unresolved regression or backward incompatibility, pinning a specific version of an npm module in your package.json can be a temporary approach while the issue is being addressed by the package owner. If that pinned version includes a vulnerable version of cross-spawn, you can override it using an override block like the following in your package.json while waiting for an update.

  "dependencies": {
    ...
  },
  "devDependencies": {
   ...
  },
  "overrides": {
    "<dependency_name>": {
      "<nested_dependency_name>": "<exact_version_or_range>"
    }
  }

...