-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OS Command Injection in execa (execa@^1.0.0) #159
Comments
Is a patch planned? This vulnerability prohibits us from publishing or package. |
Open
@amasad can you please approve this merge? |
Hey guys, I'm not really coding anymore so can't really test and maintain this package. Anyone wants to be a maintainer? cc @stefanpenner if he has any ideas. |
sane@4.1.0 is now deprecated in favor of sane@5.0.1 using execa@4.0.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
dependency
execa@^1.0.0
has the following vulnerability reported:Description:
Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting
preferLocal=true
which makes execa search for locally installed binaries and executes them.Idenfiers
Gemnasium-05cfa2e8-2d0c-42c1-8894-638e2f12ff3d
Severity
Critical
The text was updated successfully, but these errors were encountered: