[GitHub] [cordova-ios] NiklasMerz commented on issue #578: Snyk report: High severity vulnerability found in shelljs -> Command Injection

[GitBox <gi...@apache.org>]

NiklasMerz commented on issue #578: Snyk report: High severity vulnerability found in shelljs -> Command Injection
URL: https://github.com/apache/cordova-ios/issues/578#issuecomment-599127100
 
 
   Please see: https://github.com/shelljs/shelljs/issues/945#issuecomment-505094896
   
   >For an update for you all. It must be understood that if you use the exec function in this library you must sanitize the input yourself. From what I understand, library itself isn't vulnerable, it is the usage of the library that has the potential*.
   > I've reached out to whitesource software (where the origin of the github security alert is coming from) and let them know that this might be a NOOP.
   > At this point, the resolution is to use the github tooling or snyk tooling and ignore the alert. For github, you can view https://help.github.com/en/articles/viewing-and-updating-vulnerable-dependencies-in-your-repository (look for the dismiss button)
   
   I did a quick check of the usage of `shelljs` in this project and could not find any commands that looked dangerous.
   
   To all others looking at this issue please feel free to check, too just to make sure. But I am closing this now since it is not a real issue as far as I can tell.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org