The 1.0.0 version of the execa dependency has a dependency for cross-spawn@^6.0.0, but this version of cross-spawn is insecure (CVE-2024-21538).
@currents/commit-info@1.0.0 requires cross-spawn@^6.0.0 via execa@1.0.0
No patched version available for cross-spawn
The vulnerability is fixed in cross-spawn@7.0.5. Later versions of execa do call for cross-spawn@^7.0.3, which could resolve to 7.0.5.
Thus, this project's dependency on execa should be bumped to at least the earliest version that allows for cross-spawn@7.0.5 to be installed. The earliest version of execa that calls for cross-spawn@^7.0.0 is execa@^3.0.0.
The
1.0.0version of theexecadependency has a dependency forcross-spawn@^6.0.0, but this version ofcross-spawnis insecure (CVE-2024-21538).The vulnerability is fixed in
cross-spawn@7.0.5. Later versions ofexecado call forcross-spawn@^7.0.3, which could resolve to7.0.5.Thus, this project's dependency on
execashould be bumped to at least the earliest version that allows forcross-spawn@7.0.5to be installed. The earliest version ofexecathat calls forcross-spawn@^7.0.0isexeca@^3.0.0.