Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: CVE-2024-21538 by migrating to promisify-child-process #4658 #4729

Merged
merged 3 commits into from
Mar 7, 2025
Merged

fix: CVE-2024-21538 by migrating to promisify-child-process #4658 #4729

merged 3 commits into from
Mar 7, 2025

Conversation

noomorph
Copy link
Collaborator

@noomorph noomorph commented Mar 7, 2025

Description

Thanks to the co-author, @matinzd for the initial implementation.

Detox is using a vulnerable package described in CVE-2024-21538.

In this pull request, I have migrated away from unmaintained child-promise-process to promisify-child-process to fix the transitive vulnerability on cross-spawn package.

@noomorph noomorph mentioned this pull request Mar 7, 2025
Closed
2 tasks
@noomorph noomorph force-pushed the fix-CVE-2024-21538 branch from 55981bc to 494ff71 Compare March 7, 2025 14:39
@noomorph noomorph marked this pull request as ready for review March 7, 2025 14:39
@noomorph noomorph requested a review from d4vidi as a code owner March 7, 2025 14:39
@noomorph noomorph force-pushed the fix-CVE-2024-21538 branch from 494ff71 to 1e1e770 Compare March 7, 2025 14:41
@noomorph noomorph merged commit a620d87 into master Mar 7, 2025
3 checks passed
@noomorph noomorph deleted the fix-CVE-2024-21538 branch March 7, 2025 15:28
@matinzd
Copy link
Contributor

matinzd commented Mar 9, 2025

Thanks for fixing it! Well done 🚀

d4vidi
d4vidi reviewed Mar 18, 2025
View reviewed changes
detox/src/utils/childProcess/spawn.test.js
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@noomorph general note - I'd like it better if you didn't mix styling changes into technical changes/improvements. It makes it difficult for me / a reviewer to understand what really has changed on the functional level.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@d4vidi d4vidi d4vidi left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@noomorph @matinzd @d4vidi