Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bin-wrapper uses bin-check (6 years old now) which uses execa 0.x that has security issues #222

Open
eturino opened this issue May 23, 2023 · 2 comments
Open

bin-wrapper uses bin-check (6 years old now) which uses execa 0.x that has security issues #222

eturino opened this issue May 23, 2023 · 2 comments

Comments

@eturino
Copy link

eturino commented May 23, 2023

Recently the bin-wrapper dependency was added, which then was modified to use the @mole-inc fork since that one is maintained.

This still uses bin-check which depends on execa 0.7 which has a vulnerability (OS Command Injection in execa)

https://www.npmjs.com/package/bin-check
https://www.npmjs.com/package/execa

I've opened a ticket with mole-inc to see if they can fork bin-check as well and remove that old dependency mole-inc/bin-wrapper#10
@mpsanchis
Copy link

I would be interested in this as well

@thekhegay
Copy link

#291

Also,execa is used in many other packages, and uses cross-spawn (sindresorhus/execa#578)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@eturino @thekhegay @mpsanchis