npm package diff
Package: cross-spawn
Versions: 7.0.3 - 7.0.6
Removed: package/CHANGELOG.md
Modified: package/lib/enoent.js
Index: package/lib/enoent.js
===================================================================
--- package/lib/enoent.js
+++ package/lib/enoent.js
@@ -23,9 +23,9 @@
// If emitting "exit" event and exit code is 1, we need to check if
// the command exists and emit an "error" instead
// See https://github.com/IndigoUnited/node-cross-spawn/issues/16
if (name === 'exit') {
- const err = verifyENOENT(arg1, parsed, 'spawn');
+ const err = verifyENOENT(arg1, parsed);
if (err) {
return originalEmit.call(cp, 'error', err);
}Modified: package/lib/util/escape.js
Index: package/lib/util/escape.js
===================================================================
--- package/lib/util/escape.js
+++ package/lib/util/escape.js
@@ -14,17 +14,19 @@
// Convert to string
arg = `${arg}`;
// Algorithm below is based on https://qntm.org/cmd
+ // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
+ // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
// Sequence of backslashes followed by a double quote:
// double up all the backslashes and escape the double quote
- arg = arg.replace(/(\\*)"/g, '$1$1\\"');
+ arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
// Sequence of backslashes followed by the end of the string
// (which will become a double quote later):
// double up all the backslashes
- arg = arg.replace(/(\\*)$/, '$1$1');
+ arg = arg.replace(/(?=(\\+?)?)\1$/, '$1$1');
// All other backslashes occur literally
// Quote the whole thing:Modified: package/package.json
Index: package/package.json
===================================================================
--- package/package.json
+++ package/package.json
@@ -1,7 +1,7 @@
{
"name": "cross-spawn",
- "version": "7.0.3",
+ "version": "7.0.6",
"description": "Cross platform child_process#spawn and child_process#spawnSync",
"keywords": [
"spawn",
"spawnSync",
@@ -64,9 +64,9 @@
"jest": "^24.9.0",
"lint-staged": "^9.2.5",
"mkdirp": "^0.5.1",
"rimraf": "^3.0.0",
- "standard-version": "^7.0.0"
+ "standard-version": "^9.5.0"
},
"engines": {
"node": ">= 8"
}Modified: package/README.md
Index: package/README.md
===================================================================
--- package/README.md
+++ package/README.md
@@ -1,25 +1,18 @@
# cross-spawn
-[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url] [![Build Status][travis-image]][travis-url] [![Build status][appveyor-image]][appveyor-url] [![Coverage Status][codecov-image]][codecov-url] [![Dependency status][david-dm-image]][david-dm-url] [![Dev Dependency status][david-dm-dev-image]][david-dm-dev-url]
+[![NPM version][npm-image]][npm-url] [![Downloads][downloads-image]][npm-url] [![Build Status][ci-image]][ci-url] [![Build status][appveyor-image]][appveyor-url]
[npm-url]:https://npmjs.org/package/cross-spawn
[downloads-image]:https://img.shields.io/npm/dm/cross-spawn.svg
[npm-image]:https://img.shields.io/npm/v/cross-spawn.svg
-[travis-url]:https://travis-ci.org/moxystudio/node-cross-spawn
-[travis-image]:https://img.shields.io/travis/moxystudio/node-cross-spawn/master.svg
+[ci-url]:https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml
+[ci-image]:https://github.com/moxystudio/node-cross-spawn/actions/workflows/ci.yaml/badge.svg
[appveyor-url]:https://ci.appveyor.com/project/satazor/node-cross-spawn
[appveyor-image]:https://img.shields.io/appveyor/ci/satazor/node-cross-spawn/master.svg
-[codecov-url]:https://codecov.io/gh/moxystudio/node-cross-spawn
-[codecov-image]:https://img.shields.io/codecov/c/github/moxystudio/node-cross-spawn/master.svg
-[david-dm-url]:https://david-dm.org/moxystudio/node-cross-spawn
-[david-dm-image]:https://img.shields.io/david/moxystudio/node-cross-spawn.svg
-[david-dm-dev-url]:https://david-dm.org/moxystudio/node-cross-spawn?type=dev
-[david-dm-dev-image]:https://img.shields.io/david/dev/moxystudio/node-cross-spawn.svg
A cross platform solution to node's spawn and spawnSync.
-
## Installation
Node.js version 8 and up:
`$ npm install cross-spawn`