Skip to content
This repository has been archived by the owner on Jan 16, 2025. It is now read-only.

bin-wrapper uses bin-check (6 years old now) which uses execa 0.x that has security issues #222

Open
eturino opened this issue May 23, 2023 · 2 comments
Open

bin-wrapper uses bin-check (6 years old now) which uses execa 0.x that has security issues #222

eturino opened this issue May 23, 2023 · 2 comments

Comments

@eturino
Copy link

eturino commented May 23, 2023

Recently the bin-wrapper dependency was added, which then was modified to use the @mole-inc fork since that one is maintained.

This still uses bin-check which depends on execa 0.7 which has a vulnerability (OS Command Injection in execa)

https://www.npmjs.com/package/bin-check
https://www.npmjs.com/package/execa

I've opened a ticket with mole-inc to see if they can fork bin-check as well and remove that old dependency mole-inc/bin-wrapper#10
@mpsanchis
Copy link

I would be interested in this as well

@thekhegay
Copy link

#291

Also,execa is used in many other packages, and uses cross-spawn (sindresorhus/execa#578)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eturino @thekhegay @mpsanchis