Task: Upgrade cross-spawn version due to Node Cross-Spawn Vulnerability (CVE-2024–21538)

[vinhyan]

Describe the task

Looks like the issue of cross-spawn might be from this transitive dependency, upgrading the parent dependency is needed:

High vulnerability issue with the current cross-spawn version 7.0.3. CVE-2024-21538

npm audit fix cannot fix unless bumping up version to 7.0.5 or above.

Acceptance Criteria

• cross-spawn dependency is updated to version 7.0.5 or higher in the npm package.
• The vulnerability CVE-2024-21538 in cross-spawn is no longer flagged by npm audit.
• The fix does not break any existing functionality or dependencies in the project.

Additional context

• This issue is affecting code commits due to a failure in npm audit.
  

[vinhyan]

Our locked npm version is 10.8.3, which uses cross-spawn v7.0.3—a version with the above vuln. I tested modifying the npm version to 10.9.1 directly in the lockfile, deleted node_modules, and ran npm i. This approach worked, as npm 10.9.1 uses cross-spawn 7.0.6, which does not have the vuln issue. However, I’m not sure if manually editing the lockfile is recommended.

This issue is currently blocking me from committing code, so any advice on resolving it would be greatly appreciated. :) @CodeWritingCow

[vinhyan]

@nlebovits also looping you in for advice on this. Thanks! :)

[nlebovits]

Hey @vinhyan sorry for my slow response on this! Was OOO while traveling. I'm not a JS expert at all but I'll make sure @CodeWritingCow sees this and gets back to you.

[CodeWritingCow]

@vinhyan When I ran npm update and then npm audit locally, the vulnerability alert for cross-spawn disappeared.

Also ran npm ls cross-spawn to verify that cross-spawn got upgraded to v7.0.6:

Generally, I recommend not manually changing package-lock.json. We should update and manage it using npm commands such as npm install and npm update. That file tracks both our application's top dependencies and their nested dependencies.