Transitive dependency on vulnerable version of cross-spawn

[mlc]

What happened?

Detox depends on child-process-promise, which in turn depends on cross-spawn@^4.0.2. However, versions of cross-spawn prior to 6.0.6 are vulnerable to a REDoS vulnerability.

What was the expected behaviour?

Detox should presumably switch away from child-process-promise and towards something more actively maintained, I guess?, or figure out another way to mitigate this vulnerability.

Was it tested on latest Detox?

• I have tested this issue on the latest Detox release and it still reproduces.

Help us reproduce this issue!

No response

In what environment did this happen?

No response

Detox logs

No response

Device logs

No response

More data, please!

No response

[Seraphiyra]

We are also getting notified about this via Snyk

[lundn]

We're also getting warned about this through Dependabot

[carldsparks3]

I started getting warnings about this from npm audit.

I see at least 1 other dependency that contains a vulnerable version of "cross-spawn" in Detox 20.28.0. The dev dependency for the Detox project, "cross-env". Detox currently specifies version 7.0.3 of "cross-env" which then specifies version 7.0.1 of "cross-spawn" as a dependency.

The "cross-env" project is currently archived since it is in maintenance mode.

EDIT:
I currently added a package override to my project's main package.json file while waiting for an official solution.

"overrides": { "cross-spawn": "^7.0.6" }

[noomorph]

I see. I'll try to take this during December. Thanks for the report.

[thomashohn]

You could switch to promisify-child-process - seems to work at a couple of places - but could not make it work in BinaryExec.js doesn't seem that it can be a drop in replacement there:

At least the
const spawn = require('child-process-promise').spawn;
=>
const { spawn } = require('promisify-child-process');

does not work - maybe you have a suggestion?