x/website, x/pkgsite, x/build/cmd/relui, vscode-go, x/telemetry: vulnerability GHSA-3xgq-45jj-v275/CVE-2024-21538 in cross-spawn dependency version 7.0.3 #71118
Comments
|
Related Issues (Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
|
This is the issue tracker for the Go project. What is "cross-spawn" in your report? If it's referring to https://www.npmjs.com/package/cross-spawn, the issue tracker for that seems to be https://github.com/moxystudio/node-cross-spawn/issues. If there's an issue in Go itself, please add more information so we can understand the problem. Thanks. |
dmitshur
added
the
WaitingForInfo
|
I see it's a dependency in some of the golang.org/x repos: https://cs.opensource.google/search?q=%22cross-spawn%22%20%227.0.3%22&ss=go |
dmitshur
added
NeedsInvestigation
dmitshur
changed the title
|
This is pulled in from I do think it's unfortunate that web code is vendored into the main go repo, perhaps all the cc @golang/telemetry |
|
CC @golang/tools-team (for pkgsite) @seankhliao I agree that we should perhaps consider adding a submodule for x/telemetry/cmd/gotelemetry, so that the core telemetry library has no web dependencies. |
Go version
1.23.4
Output of
go envin your module/workspace:What did you do?
Anchore scans run periodically.
What did you see happen?
Vulnerability scanners (such as Anchore) are detecting GHSA-3xgq-45jj-v275/CVE-2024-21538 in
cross-spawn7.0.3. That dependency needs to be upgraded to 7.0.5 or higher. Thank you.Note: This was reported as Issue 71114, but that was closed with
not planned. It is not a duplicate according to issue search, so asking for an explanation.What did you expect to see?
Clean scan results.
The text was updated successfully, but these errors were encountered: