Task: Upgrade cross-spawn version due to Node Cross-Spawn Vulnerability (CVE-2024–21538)

[vinhyan]

Describe the task

Looks like the issue of cross-spawn might be from this transitive dependency, upgrading the parent dependency is needed:

High vulnerability issue with the current cross-spawn version 7.0.3. CVE-2024-21538

npm audit fix cannot fix unless bumping up version to 7.0.5 or above.

Acceptance Criteria

• cross-spawn dependency is updated to version 7.0.5 or higher in the npm package.
• The vulnerability CVE-2024-21538 in cross-spawn is no longer flagged by npm audit.
• The fix does not break any existing functionality or dependencies in the project.

Additional context

• This issue is affecting code commits due to a failure in npm audit.
  

[vinhyan]

Our locked npm version is 10.8.3, which uses cross-spawn v7.0.3—a version with the above vuln. I tested modifying the npm version to 10.9.1 directly in the lockfile, deleted node_modules, and ran npm i. This approach worked, as npm 10.9.1 uses cross-spawn 7.0.6, which does not have the vuln issue. However, I’m not sure if manually editing the lockfile is recommended.

This issue is currently blocking me from committing code, so any advice on resolving it would be greatly appreciated. :) @CodeWritingCow

[vinhyan]

@nlebovits also looping you in for advice on this. Thanks! :)

[nlebovits]

Hey @vinhyan sorry for my slow response on this! Was OOO while traveling. I'm not a JS expert at all but I'll make sure @CodeWritingCow sees this and gets back to you.

[CodeWritingCow]

@vinhyan When I ran npm update and then npm audit locally, the vulnerability alert for cross-spawn disappeared.

Also ran npm ls cross-spawn to verify that cross-spawn got upgraded to v7.0.6:

Generally, I recommend not manually changing package-lock.json. We should update and manage it using npm commands such as npm install and npm update. That file tracks both our application's top dependencies and their nested dependencies.

[millmason]

@CodeWritingCow I've been having the same problem. I was able to temporarily resolve it using the steps you described (running npm update and npm audit from a fresh install), but I kept hitting an error. When the frontend compiles on my machine, I consistently get:

⨯ ./node_modules/react-map-gl/dist/esm/exports-mapbox.js:16:1
Module not found: Can't resolve 'mapbox-gl'

It seems like it's due to a version discrepancy with the dependency gl-matrix, so I installed that separately and the Module not found error went away...but the cross-spawn issue came back. Do you know if this a known issue, or something that I might be specific to me? I thought about opening a new issue but figured it might be better to check here first, since they seem related

[millmason]

I'm still getting this error (and blocked from committing as a result) in spite of pulling down a clean download and following the given steps (npm i, npm update, npm audit. Strangely, when I run npm ls cross-spawn, it shows that I've successfully updated it to 7.0.6, but the error still comes up in the pre-commit hook. Is there a step I'm omitting?

[CodeWritingCow]

@millmason can you see if you can commit your code by using the --no-verify flag?

Something like git commit -m "Your commit message here" --no-verify? It'd bypass the pre-commit hook. Not ideal but it could be a temporary workaround until I can figure out what's going on with this error.

[millmason]

@CodeWritingCow that works perfect! Thank you!

[CodeWritingCow]

@millmason you are welcome! Thanks for following up on this. It fell off my radar because I was working on fixing a separate issue.