sync-exec @0.6.2
Synchronous exec with status code support. Requires no external dependencies, no need for node-gyp compilations etc.
Maintainers
Keywords
Dev Dependencies (1)
| Package | Constraint | Registry Status |
|---|---|---|
| coffee-script | ^1.9.3 | auto_approved |
Risk Dispositions (1 applicable to this version, 0 other)
Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.
| Rule | Source | Disposition | Author | Reason | |
|---|---|---|---|---|---|
osv:GHSA-38h8-x697-gh8q |
osv | reject | AI | AI (osv): No fix exists for this advisory; affected range covers all versions of sync-exec (<=0.6.2). Verdict generalizes to every published version of this package. |
SAST Findings (2)
CVSS 6.5 (MEDIUM) — CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Affected versions of `sync-exec` use files located in `/tmp/` to buffer command results before returning values. As `/tmp/` is almost always set with world readable permissions, this may allow low privilege users on the system to read the results of commands run via `sync-exec` under a higher privilege user. ## Recommendation There is currently no direct patch for `sync-exec`, as the `child_process.execSync` function provided in Node.js v0.12.0 and later provides the same functionality natively. The best mitigation currently is to update to Node.js v0.12.0 or later, and migrate all uses of `sync-exec` to `child_process.execSync()`.
Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.
Review Summary
Risk score: 43. Findings: 4 medium (+40), 1 low (+3).
Commit: ecbbeee5d1ff Browse source
Published to npm: