execa 1.0.0 flagged as insecure #1208

y-nk · 2025-04-08T03:02:03Z

we're now at execa@9.5.2 - a bump of 8 majors seems risky with overrides. any chance to work at this?

PS: i'm willing to help if needed.

nfischer · 2025-04-08T04:30:25Z

Can you share details of the security vulnerability? If it's been disclosed, then please share a link. If the vulnerability is not yet disclosed, then please raise this with the execa maintainers first.

I won't say no to a PR to update execa as long as everything still works.

y-nk · 2025-04-08T06:31:30Z

the vulnerability was found by aws docker image scanner, so it's all ok to share.

https://scout.docker.com/vulnerabilities/id/GMS-2020-2

Showed up in our report like this (nb: tw-email-bridge is our docker container name):

after running pnpm why execa, shelljs was found as direct dependent.

nfischer · 2025-04-08T06:48:10Z

I don't think this is a vulnerability in shelljs. The report says:

Attackers could trick execa into executing arbitrary binaries. This behaviour is caused by the setting preferLocal=true which makes execa search for locally installed binaries and executes them. This vulnerability is usually only exploitable when using execa on a client-side LOCAL application.

We don't use { preferLocal: true } so I don't think our project is vulnerable.

If some other project is using shelljs and providing { preferLocal: true }, then that would be on them. Nothing we can do to stop this.

nfischer · 2025-04-08T06:51:44Z

Also, how do you know that upgrading execa will fix the warning? It seems to me like execa still supports preferLocal the same as it always has. Are you sure that execa@2.0.0 doesn't trigger the same warning?

y-nk · 2025-04-08T06:57:07Z

that's a good question, for which i don't have yet an answer. i can only try to build a project with updated execa and have it passed in the aws scanner again and see.

i would like to highlight that i have read the repo's source code and indeed i agree that shelljs itself don't use anything which would put any user at risk... but it is marked as such, raising issue in a few security dashboard products ; so it's not really that the code is insecure itself, but the auditors are quite basic and won't discard based on usage (as it's not really scalable from their PoV). their policy is "you have it in package-lock, you're at risk" which is what i wanted to report in this issue.

for FOSS projects i don't think it matters ; for SaaS like the one i work for, we have some security agreement which force us to fix those issues within a given time window or to seek help/support to do it.

y-nk · 2025-04-08T07:09:45Z

after looking more in detail of the report in above url, they do provide the version which resolved the issue. that being said, 2.0.0 have dependency which also have other CVE attached, so maybe trying to upgrade to latest would be a better approach.

nfischer · 2025-04-08T07:31:36Z

Ok I found the execa change: sindresorhus/execa#314. Changelog says this did in fact go out in 2.0.0. https://github.com/sindresorhus/execa/releases/tag/v2.0.0

I will accept a patch to upgrade execa. To set expectations though, I will not commit to a timeline when I will release the patch. "Due in 1 day" is an absolutely insane timeline for any OSS bug.

y-nk · 2025-04-08T14:17:19Z

@nfischer oh sorry i didn't mean to put pressure on you - the due in 1 day is on our side and is not something which reflects to you or this package. i/we do not expect such a short answer.

i will look into providing the patch PR, although i will look at doing it so that npm audit does not yield any vulnerability anymore - if it appears to be impossible (lots of breaking changes etc) i will let you know in this issue.

nfischer · 2025-04-09T22:33:03Z

No worries, I understand that's an internal deadline. Just want to clarify that this probably won't be changed on our side for days or weeks. If the 1 day deadline on your side is a firm deadline, then you may want to prioritize finding a quick workaround to meet your deadline and then come back later if you're still interested in contributing the package update.

Unfortunately this would be a breaking change for us. I can still accept the PR, but you'll need to chase down the mailin package to have them upgrade shelljs once the update goes out.

nfischer · 2025-04-09T22:40:53Z

Wait, something is wrong. You said the dependency path is mailin > shelljs > execa. This can't be right. mailin is 8 years old and it depends on shelljs "^0.5.1" https://github.com/Flolagale/mailin/blob/master/package.json#L45C17-L45C23

The "^0.5.1" semver pattern is not supposed to match version "0.9.1". "^" means you can only get patch updates if the major version is still zero. If your package manager installed shelljs v0.9.1, then your package manager is doing the wrong thing.

It's a miracle the mailin package still runs... we've shipped some breaking changes since 0.5.3, but I guess they only use shell.which() and shell.mkdir() so they lucked out. https://github.com/search?q=repo%3AFlolagale%2Fmailin+shell.&type=code

y-nk · 2025-04-10T02:05:58Z

you're right, it's a miracle indeed ; or maybe not :) i have read its entire source code to address "can we use a npm override or not" and it was ok to force their shelljs^0.5.1 to be shelljs^0.9.2 and get the latest bug fixes and improvements.

we could also have made a fork, but looking at how many fork currently existing and still none of them are properly maintained, i made the call not to add one more of them to the mix and confuse the community further.

(if you have a time) you can check their issues and will see i've been looking into solutions to solve this as well as running mailin with node^20 (it was node^14 compliant). mailin itself is unmaintained for about 8y i think so we had no other choice than adding a override entry to our package.json. nobody reads the issue, nobody pushes updates.

i could very well add one more override of execa but execa is not a direct dependency of mailin but rather shelljs and since it's still maintained i thought there's a chance to kindly ask for an upgrade and make the whole community beneficiate from this bump, while it was not possible for mailin because nobody seems to care anymore.

nfischer · 2025-04-10T04:36:10Z

you're right, it's a miracle indeed ; or maybe not :) i have read its entire source code to address "can we use a npm override or not" and it was ok to force their shelljs^0.5.1 to be shelljs^0.9.2 and get the latest bug fixes and improvements.

Well, I'm impressed. I didn't know you could even do that!

y-nk · 2025-04-17T06:00:25Z

@nfischer it was added in npm since v9 (i think) under packageJson.overrides and still exists in pnpm as packageJson.pnpm.overrides. very neat last resort solution!

nfischer · 2025-05-09T19:18:58Z

Fixed in shelljs v0.10. Thanks for the contribution!

nfischer added help wanted exec Issues specific to the shell.exec() API dependencies Pull requests that update a dependency file labels Apr 8, 2025

y-nk mentioned this issue Apr 10, 2025

bump execa #1216

Closed

nfischer added this to the v0.10.0 milestone May 9, 2025

nfischer closed this as completed May 9, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

execa 1.0.0 flagged as insecure #1208

execa 1.0.0 flagged as insecure #1208

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

execa 1.0.0 flagged as insecure #1208

execa 1.0.0 flagged as insecure #1208

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!