The 1.0.0 version of the execa dependency has a dependency for cross-spawn@^6.0.0, but this version of cross-spawn is insecure (CVE-2024-21538).
@currents/[email protected] requires cross-spawn@^6.0.0 via [email protected]
No patched version available for cross-spawn
The vulnerability is fixed in [email protected]. Later versions of execa do call for cross-spawn@^7.0.3, which could resolve to 7.0.5.
Thus, this project's dependency on execa should be bumped to at least the earliest version that allows for [email protected] to be installed. The earliest version of execa that calls for cross-spawn@^7.0.0 is execa@^3.0.0.
The
1.0.0version of theexecadependency has a dependency forcross-spawn@^6.0.0, but this version ofcross-spawnis insecure (CVE-2024-21538).The vulnerability is fixed in
[email protected]. Later versions ofexecado call forcross-spawn@^7.0.3, which could resolve to7.0.5.Thus, this project's dependency on
execashould be bumped to at least the earliest version that allows for[email protected]to be installed. The earliest version ofexecathat calls forcross-spawn@^7.0.0isexeca@^3.0.0.