commit-info icon indicating copy to clipboard operation
commit-info copied to clipboard
verified publisher icon cypress-io

Critical security issue in execa dependency

Open fehwalker opened this issue 1 year ago • 2 comments

Current version of commit-info package has a dependency of execa 1.x, which has a critical security vulnerability (CVSS score 9.8) as reported via Gitlab Security Advisories.

Advisory: https://advisories.gitlab.com/pkg/npm/execa/GMS-2020-2/

Recommendation is to upgrade to execa version 2.0.0 or higher.

fehwalker avatar Dec 19 '24 23:12 fehwalker

The repo is currently configured with [email protected]

https://github.com/cypress-io/commit-info/blob/514900c61614c4bd6ab79ccc16c7efc3b638cbdb/package.json#L56

Although https://advisories.gitlab.com/pkg/npm/execa/GMS-2020-2/ describes this issue and recommends fixed versions: 2.0.0, npm audit and Dependabot do not report this vulnerability.

An update to execa@2 ([email protected]) is a breaking change, due to removal of execa.shell(), requiring code changes to commit-info

https://github.com/cypress-io/commit-info/blob/514900c61614c4bd6ab79ccc16c7efc3b638cbdb/src/git-api.js#L40

  • Cypress was recently upgraded through PR https://github.com/cypress-io/cypress/pull/32238, tackling the above code change issue.

MikeMcC399 avatar Sep 05 '25 09:09 MikeMcC399

update Execa version to 5.1.1.

Change: return Promise.try(() => execa.shell(gitCommand, { cwd: pathToRepo })) To: return Promise.try(() => execa.command(gitCommand, { cwd: pathToRepo }))

Updated and corrected for the vulnerability....

pluralgarths avatar Oct 14 '25 23:10 pluralgarths

Reported as critical vulnerability in cypress/included:15.7.0 Docker image, scanned by Docker Scout

Image

MikeMcC399 avatar Nov 25 '25 19:11 MikeMcC399