Package: node-cross-spawn Version: 5.1.0-2 Severity: grave Justification: renders package unusable
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 the sole purpose of Node.js module cross-spawn is to reimplement builtin Node.js functions child_process.sync and child_process.spawnSync compatible with Windows. Code involved mangling paths using regular expressions, which I fear can cause security issues if done wrong. Current release 5.1.0 seems to be doing it wrong for Unix (i.e. on platforms already implemented in Node.js), judging from changelog entries of later releases. According to its README.md, on Debian it should be possible to simply replace calls to cross-spawn.spawn with child_process.sync, and calls to cross-spawn.sync with child_process.spawnSync. Please let's avoid shipping this package with Bullseye and instead patch the (quite few, it seems) reverse dependencies to use node.js child_process() calls instead. - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl6fA40ACgkQLHwxRsGg ASF3WA//TDcek1RTqzcH3ypFg5KiRa+/btpG2Wgr8Q/dC9pQ+FvrbncaARgiTsKP wWEx5ZxIHtGYgt3zCPYQPyrEmvauJ78yILCJhJyLCxrwTxHuXlz52/T7/WAyAjmm VKNPNOIZiLQGCfpiZ8VV5IaWL5KznUzRqXHQktg/qspByetOfXh4CV24HWo7UffJ OC8v4wbBOqmYqLlidkazeVIPpmwBukT9uSj/Q+/Nd5koE9H9jmvRfJb0/ExcSMgi XOPoPiHhgX6P9oUIPzjFL9ZpRF3QDIbxuEGV1VLt9l8DZQnrcJWIJ47fnvxTJtE9 OMPWS6qD8o4Ui18vJFJl/9sC5ZDdnmziWyMSLMWYNZg06cwMEWgJZChW2c04OCzN OzMzbaIxLpuDAWGVTbq4+6D7j3IJU5w7ZhFq48k1YCJ3tpWVm75hmiW0w4NBuqFB axdtJD4K2MDTaEDvqEg7o2MQJ+DbGaGpVKrYnTmh3llSmuBb4ImtfDhxuA6K7fTL pdy60x8ml4Kqq6doNy3cSBGlk42FWtY2kuqxF1+1b8/sXnW16j915Y9bnBYGxFBN 9zOieb6hPxF23W8kzkvxXOup4/0znTs7hJe8II36uyaOg1Wbc1MjhMUoHOkGtHcz Pqm9zH8bT5uV4WonaIbEZyNSkDUuZfbQmyKllFT5Gt3BSU30CM8= =64E7 -----END PGP SIGNATURE-----
