-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-42740 in shell-quote #19785
Comments
We get shell-quote@1.7.2 from a dependency on react-dev-utils@11.x, which is a transitive dependency coming from a few others. react-dev-utils@12 has bumped the version to ^1.7.3, so we need to trace back up to us and see what can be bumped.
|
@mrbusche We would welcome a PR that would bump the relevant development dependencies in our @cypress/react and @cypress/design-system packages. The cypress package itself does not bundle a shell-quote@1.7.2 dependency and should not be impacted. |
Here are all the instances, via
I was able to overwrite the resolutions by adding "resolutions": {
"shell-quote": "1.7.3"
} and removing |
My PR was rejected because I didn't make changes to upgrade to the latest major version, which would require a lot more time than I have to contribute. I commented on an issue for react-scripts to see if they'd accept a patch to version 3, but I don't feel confident - facebook/create-react-app#11608 |
Another solution may be to move react-scripts to devDependencies everywhere. It's currently listed as a dependency under find-webpack and craco. Then when buidling cypress build as a production build vs a dev/test bundle that includes devDependencies. |
This issue has not had any activity in 180 days. Cypress evolves quickly and the reported behavior should be tested on the latest version of Cypress to verify the behavior is still occurring. It will be closed in 14 days if no updates are provided. |
This issue has been closed due to inactivity. |
Current behavior
CVE-2021-42740 is a critical CVE in shell-quote version 1.7.2 that is resolved in 1.7.3
Desired behavior
cypress uses shell-quote 1.7.3
Test code to reproduce
It's a publicly visible CVE
Cypress Version
9.3.1
Other
No response
The text was updated successfully, but these errors were encountered: