npm package diff

Package: cross-spawn

Versions: 7.0.3 - 7.0.6

File: `package/lib/util/escape.js`

Index: package/lib/util/escape.js
===================================================================
--- package/lib/util/escape.js
+++ package/lib/util/escape.js
@@ -14,17 +14,19 @@
     // Convert to string
     arg = `${arg}`;
 
     // Algorithm below is based on https://qntm.org/cmd
+    // It's slightly altered to disable JS backtracking to avoid hanging on specially crafted input
+    // Please see https://github.com/moxystudio/node-cross-spawn/pull/160 for more information
 
     // Sequence of backslashes followed by a double quote:
     // double up all the backslashes and escape the double quote
-    arg = arg.replace(/(\\*)"/g, '$1$1\\"');
+    arg = arg.replace(/(?=(\\+?)?)\1"/g, '$1$1\\"');
 
     // Sequence of backslashes followed by the end of the string
     // (which will become a double quote later):
     // double up all the backslashes
-    arg = arg.replace(/(\\*)$/, '$1$1');
+    arg = arg.replace(/(?=(\\+?)?)\1$/, '$1$1');
 
     // All other backslashes occur literally
 
     // Quote the whole thing:

npm package diff

Package: cross-spawn

Versions: 7.0.3 - 7.0.6

File: package/lib/util/escape.js

File: `package/lib/util/escape.js`