Summary

This pull request upgrades the cross-spawn dependency to version 7.0.6, addressing a high-severity security vulnerability identified as CVE-2024-21538. The upgrade ensures the application is protected against potential exploitation via a Regular Expression Denial of Service (ReDoS) attack.

Detailed Description

Vulnerability Details

• CVE-2024-21538:
  • Description: Versions of the cross-spawn package prior to 7.0.5 are vulnerable to a ReDoS attack. The issue arises from improper input sanitization in regular expressions, allowing attackers to craft malicious strings that significantly increase CPU usage and may lead to application crashes.
  • Severity: High (CVSS Score: 7.5)
  • Patched Versions: v7.0.5 and later

Changes Made

• Updated the cross-spawn dependency in package.json to v7.0.6.
• Ran npm install to update package-lock.json ensuring consistency with the updated version.

Impact on Codebase

• Dependencies:
  • This change updates only the cross-spawn package. No other dependencies are affected.
• Functionality:
  • There are no changes to the application logic or functionality. This is a security-focused dependency update.
• Performance:
  • Mitigates potential performance degradation caused by ReDoS attacks in prior versions.
• Security:
  • Resolves a high-severity vulnerability, enhancing the overall security posture of the application.

Testing & Validation

• Verified that all existing test cases pass successfully with the updated dependency.
• Manually tested core functionality relying on cross-spawn to confirm no regressions or issues.
• Reviewed the changelog for cross-spawn v7.0.6 to ensure compatibility with our current usage.