Description
First off, thank you for maintaining @ldo/cli — it’s been very useful for working with RDF in TypeScript.
While running npm audit on a project using @ldo/cli, I noticed a high severity vulnerability reported in cross-spawn. It comes through the dependency chain:
@ldo/cli → child-process-promise → cross-spawn
cross-spawn <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) - GHSA-3xgq-45jj-v275
fix available via npm audit fix --force
Will install undefined@undefined, which is a breaking change
node_modules/cross-spawn
child-process-promise >=2.2.0
Depends on vulnerable versions of cross-spawn
node_modules/child-process-promise
@ldo/cli *
Depends on vulnerable versions of child-process-promise
node_modules/@ldo/cli
3 high severity vulnerabilities
Suggested Fix
Update the dependency chain so that cross-spawn resolves to version 7.0.5 or newer, where this vulnerability has been patched.
Reference
Advisory: GHSA-3xgq-45jj-v275
Personal Note
I’m currently using @ldo/cli in my master’s thesis project on RDF and REST API generation, and I truly appreciate the work that has gone into this library. Just wanted to flag this so the community can continue using it securely. Thanks again for your work!
Description
First off, thank you for maintaining @ldo/cli — it’s been very useful for working with RDF in TypeScript.
While running npm audit on a project using @ldo/cli, I noticed a high severity vulnerability reported in cross-spawn. It comes through the dependency chain:
@ldo/cli → child-process-promise → cross-spawn
cross-spawn <6.0.6
Severity: high
Regular Expression Denial of Service (ReDoS) - GHSA-3xgq-45jj-v275
fix available via npm audit fix --force
Will install undefined@undefined, which is a breaking change
node_modules/cross-spawn
child-process-promise >=2.2.0
Depends on vulnerable versions of cross-spawn
node_modules/child-process-promise
@ldo/cli *
Depends on vulnerable versions of child-process-promise
node_modules/@ldo/cli
3 high severity vulnerabilities
Suggested Fix
Update the dependency chain so that cross-spawn resolves to version 7.0.5 or newer, where this vulnerability has been patched.
Reference
Advisory: GHSA-3xgq-45jj-v275
Personal Note
I’m currently using @ldo/cli in my master’s thesis project on RDF and REST API generation, and I truly appreciate the work that has gone into this library. Just wanted to flag this so the community can continue using it securely. Thanks again for your work!