Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Please bump cross-spawn dependency to ^7.0.6 to fix npm audit failure due to CVE-2024-21538 #3779

Closed
1 task
NathZ1 opened this issue Nov 27, 2024 · 5 comments
Closed
1 task

Please bump cross-spawn dependency to ^7.0.6 to fix npm audit failure due to CVE-2024-21538 #3779

NathZ1 opened this issue Nov 27, 2024 · 5 comments
Labels
bug Something isn't working new Un-triaged issue

Comments

@NathZ1
Copy link

NathZ1 commented Nov 27, 2024

Expected Behavior

npm audit passes with 0 vulnerabilities

Actual Behavior

npm audit fails with 7 high severity vulnerabilities

CVE-2024-21538

Steps to Reproduce

npm install or npm audit

Versions

language: typescript
node: 20.11.1
cdktf: 0.20.10
cdktf-cli: 0.20.10

Providers

No response

Gist

No response

Possible Solutions

No response

Workarounds

No response

Anything Else?

No response

References

No response

Help Wanted

  • I'm interested in contributing a fix myself

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@NathZ1 NathZ1 added bug Something isn't working new Un-triaged issue labels Nov 27, 2024
@yeoffrey
Copy link

yeoffrey commented Dec 2, 2024
edited
Loading

I think #3765 has to be merged. Would like to get this fixed :)

@BeniRupp
Copy link

BeniRupp commented Dec 3, 2024

@yeoffrey, the mentioned PR will just upgrade the @types/node packages. Your proposed changes of cross-spawn are not part of the PR anymore.

@dhanushkakottegoda
Copy link

dhanushkakottegoda commented Dec 3, 2024
edited
Loading

If I am not mistaken this is already fixed : https://github.com/hashicorp/terraform-cdk/blob/main/packages/cdktf-cli/package.json#L52 and just needs a release?

When can we expect the next release?

@DanielMSchmidt
Copy link
Contributor

I'm closing this since the code change is merged, I'll try to get a release out soonish

@tgerulaitis tgerulaitis mentioned this issue Dec 19, 2024
Merged
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 9, 2025

I'm going to lock this issue because it has been closed for 30 days. This helps our maintainers find and focus on the active issues. If you've found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working new Un-triaged issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@DanielMSchmidt @NathZ1 @BeniRupp @dhanushkakottegoda @yeoffrey