Skip to content

security: override cross-spawn to ^7.0.6 (pnpm)#307

Open
thomasrockhu-codecov wants to merge 1 commit intomainfrom
security/tier-s-cross-spawn-override
Open

security: override cross-spawn to ^7.0.6 (pnpm)#307
thomasrockhu-codecov wants to merge 1 commit intomainfrom
security/tier-s-cross-spawn-override

Conversation

@thomasrockhu-codecov
Copy link
Copy Markdown
Contributor

@thomasrockhu-codecov thomasrockhu-codecov commented Apr 2, 2026

Summary

Adds a root pnpm.overrides entry so cross-spawn resolves to ^7.0.6 everywhere.

npm-run-all@4.1.5 (latest) still declares cross-spawn@^6.0.5, which was resolving to 6.0.5; serve / execa paths could still pull 7.0.3. The override aligns all instances with patched releases for the ReDoS advisories reported under pnpm audit (e.g. GHSA-3xgq-45jj-v275).

Test plan

  • CI passes for this branch.

Made with Cursor

@sentry
Copy link
Copy Markdown

sentry bot commented Apr 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.74%. Comparing base (5e53051) to head (449229e).
✅ All tests successful. No failed tests found.

Additional details and impacted files
Components Coverage Δ
Plugin core 98.05% <ø> (ø)
Rollup plugin 8.42% <ø> (ø)
Vite plugin 8.42% <ø> (ø)
Webpack plugin 56.84% <ø> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@codecov-notifications
Copy link
Copy Markdown

codecov-notifications bot commented Apr 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

Components Coverage Δ
Plugin core 98.05% <ø> (ø)
Rollup plugin 8.42% <ø> (ø)
Vite plugin 8.42% <ø> (ø)
Webpack plugin 56.84% <ø> (ø)

📢 Thoughts on this report? Let us know!

@sentry
Copy link
Copy Markdown

sentry bot commented Apr 2, 2026
edited
Loading

Bundle Report

Changes will decrease total bundle size by 3.78kB (-0.05%) ⬇️. This is within the configured threshold ✅

Detailed changes
Bundle name Size Change
@codecov/rollup-plugin-esm 1.3kB -5.11kB (-79.7%) ⬇️
@codecov/example-sveltekit-app-client-esm 727.67kB -2 bytes (-0.0%) ⬇️
@codecov/example-sveltekit-app-server-esm 984.06kB -1 bytes (-0.0%) ⬇️
@codecov/nextjs-webpack-plugin-esm 4.86kB 3.74kB (336.0%) ⬆️
@codecov/astro-plugin-esm 862 bytes -2.41kB (-73.62%) ⬇️

Affected Assets, Files, and Routes:

view changes for bundle: @codecov/example-next-app-client-array-push

Assets Changed:

Asset Name Size Change Total Size Change (%)
server/middleware-*.js 852 bytes 888 bytes 2366.67% ⚠️
server/middleware-*.js -852 bytes 36 bytes -95.95%
static/wFOMRkKI4b72IiMGWNVyd/_buildManifest.js (New) 224 bytes 224 bytes 100.0% 🚀
static/wFOMRkKI4b72IiMGWNVyd/_ssgManifest.js (New) 77 bytes 77 bytes 100.0% 🚀
static/EvFWLqXkFPdJmNQOusJyP/_buildManifest.js (Deleted) -224 bytes 0 bytes -100.0% 🗑️
static/EvFWLqXkFPdJmNQOusJyP/_ssgManifest.js (Deleted) -77 bytes 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-nuxt-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/welcome.vue.mjs (New) 93.53kB 93.53kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/nuxt-*.mjs (New) 9.48kB 9.48kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/plugins/router.mjs (New) 7.64kB 7.64kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/nuxt.mjs (New) 7.2kB 7.2kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/error-*.vue.mjs (New) 4.63kB 4.63kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/error-*.vue.mjs (New) 5.5kB 5.5kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/composables/router.mjs (New) 4.11kB 4.11kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/nuxt-*.vue.mjs (New) 2.75kB 2.75kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/nuxt-*.vue.mjs (New) 2.07kB 2.07kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/composables/error.mjs (New) 1.64kB 1.64kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/plugins/revive-*.server.mjs (New) 1.26kB 1.26kB 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/composables/manifest.mjs (New) 881 bytes 881 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/head/runtime/composables/v3.mjs (New) 879 bytes 879 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/middleware/manifest-*.mjs (New) 641 bytes 641 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/composables/payload.mjs (New) 436 bytes 436 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/head/runtime/plugins/unhead.mjs (New) 386 bytes 386 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/injections.mjs (New) 111 bytes 111 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/error-*.vue2.mjs (New) 45 bytes 45 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/error-*.vue2.mjs (New) 45 bytes 45 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_4kslw5wk6twazxf3q3ee3xkfgi/node_modules/nuxt/dist/app/components/welcome.vue2.mjs (New) 43 bytes 43 bytes 100.0% 🚀
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/welcome.vue.mjs (Deleted) -93.53kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/nuxt-*.mjs (Deleted) -9.48kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/plugins/router.mjs (Deleted) -7.64kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/nuxt.mjs (Deleted) -7.2kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/error-*.vue.mjs (Deleted) -5.5kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/error-*.vue.mjs (Deleted) -4.63kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/composables/router.mjs (Deleted) -4.11kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/nuxt-*.vue.mjs (Deleted) -2.07kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/nuxt-*.vue.mjs (Deleted) -2.75kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/composables/error.mjs (Deleted) -1.64kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/plugins/revive-*.server.mjs (Deleted) -1.26kB 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/composables/manifest.mjs (Deleted) -881 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/head/runtime/composables/v3.mjs (Deleted) -879 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/middleware/manifest-*.mjs (Deleted) -641 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/composables/payload.mjs (Deleted) -436 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/head/runtime/plugins/unhead.mjs (Deleted) -386 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/injections.mjs (Deleted) -111 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/error-*.vue2.mjs (Deleted) -45 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/error-*.vue2.mjs (Deleted) -45 bytes 0 bytes -100.0% 🗑️
node_modules/.pnpm/nuxt_3.16.2__parcel_watcher_2.5.6__types_node_20.12.12_cac_6.7.14_db0_0.3.4_encoding_0.1.13_e_kxpsyafbx5t7jt72f4u2eos5fe/node_modules/nuxt/dist/app/components/welcome.vue2.mjs (Deleted) -43 bytes 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-astro-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
manifest_BeIAyrmU.mjs (New) 3.34kB 3.34kB 100.0% 🚀
manifest_x65tyLU9.mjs (Deleted) -3.34kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/bundler-plugin-core-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.mts (New) 14.67kB 14.67kB 100.0% 🚀
index.d.cts (Deleted) -14.67kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/remix-vite-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.ts (New) 957 bytes 957 bytes 100.0% 🚀
index.d.mts (Deleted) -957 bytes 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/rollup-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.mts (New) 1.3kB 1.3kB 100.0% 🚀
index.mjs (Deleted) -6.41kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-sveltekit-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
chunks/internal.js -1 bytes 18.48kB -0.01%
view changes for bundle: @codecov/example-nuxt-app-client-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
_nuxt/entry.DqKqIaw4.css (New) 12.43kB 12.43kB 100.0% 🚀
_nuxt/error-404.CDRJUc6Z.css (New) 3.57kB 3.57kB 100.0% 🚀
_nuxt/error-500.DprDOBVh.css (New) 1.9kB 1.9kB 100.0% 🚀
_nuxt/entry.pkZfj69P.css (Deleted) -12.43kB 0 bytes -100.0% 🗑️
_nuxt/error-404.1zMr56Gn.css (Deleted) -3.57kB 0 bytes -100.0% 🗑️
_nuxt/error-500.Bq6BWcEO.css (Deleted) -1.9kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-sveltekit-app-client-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
_app/immutable/chunks/entry.*.js -2 bytes 31.45kB -0.01%
view changes for bundle: @codecov/astro-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.d.ts (New) 862 bytes 862 bytes 100.0% 🚀
index.mjs (Deleted) -3.27kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/nextjs-webpack-plugin-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
index.mjs (New) 4.86kB 4.86kB 100.0% 🚀
index.d.cts (Deleted) -1.11kB 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-next-15-app-client-array-push

Assets Changed:

Asset Name Size Change Total Size Change (%)
server/middleware-*.js -885 bytes 36 bytes -96.09%
server/middleware-*.js 885 bytes 921 bytes 2458.33% ⚠️
static/OfIyAFlAUTvmBm7m7QP5L/_buildManifest.js (New) 543 bytes 543 bytes 100.0% 🚀
static/OfIyAFlAUTvmBm7m7QP5L/_ssgManifest.js (New) 77 bytes 77 bytes 100.0% 🚀
static/RtsLD0T4odMFnFB6xqv6r/_buildManifest.js (Deleted) -543 bytes 0 bytes -100.0% 🗑️
static/RtsLD0T4odMFnFB6xqv6r/_ssgManifest.js (Deleted) -77 bytes 0 bytes -100.0% 🗑️
view changes for bundle: @codecov/example-astro-5-app-server-esm

Assets Changed:

Asset Name Size Change Total Size Change (%)
manifest_C9lLENC9.mjs (New) 3.37kB 3.37kB 100.0% 🚀
manifest_BkPbHHbo.mjs (Deleted) -3.37kB 0 bytes -100.0% 🗑️

@thomasrockhu-codecov
security: pnpm override cross-spawn to ^7.0.6
449229e 
npm-run-all@4.1.5 still resolves cross-spawn 6.0.5 under its semver range;
execa via serve pulled 7.0.3. Force patched 7.0.6+ for all instances to
address cross-spawn ReDoS advisories (GHSA-3xgq-45jj-v275).

Made-with: Cursor
@thomasrockhu-codecov thomasrockhu-codecov force-pushed the security/tier-s-cross-spawn-override branch from ed28467 to 449229e Compare April 3, 2026 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thomasrockhu-codecov