[Pkg-javascript-devel] Bug#958403: node-cross-spawn: unneeded for Debian, does risky path mangling, and does it wrong in current release 5.1.0

[Jonas Smedegaard]

Package: node-cross-spawn
Version: 5.1.0-2
Severity: grave
Justification: renders package unusable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

the sole purpose of Node.js module cross-spawn is to reimplement
builtin Node.js functions child_process.sync and child_process.spawnSync
compatible with Windows.

Code involved mangling paths using regular expressions,
which I fear can cause security issues if done wrong.

Current release 5.1.0 seems to be doing it wrong for Unix
(i.e. on platforms already implemented in Node.js),
judging from changelog entries of later releases.

According to its README.md,
on Debian it should be possible to simply replace
calls to cross-spawn.spawn with child_process.sync,
and calls to cross-spawn.sync with child_process.spawnSync.

Please let's avoid shipping this package with Bullseye
and instead patch the (quite few, it seems) reverse dependencies
to use node.js child_process() calls instead.

 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl6fA40ACgkQLHwxRsGg
ASF3WA//TDcek1RTqzcH3ypFg5KiRa+/btpG2Wgr8Q/dC9pQ+FvrbncaARgiTsKP
wWEx5ZxIHtGYgt3zCPYQPyrEmvauJ78yILCJhJyLCxrwTxHuXlz52/T7/WAyAjmm
VKNPNOIZiLQGCfpiZ8VV5IaWL5KznUzRqXHQktg/qspByetOfXh4CV24HWo7UffJ
OC8v4wbBOqmYqLlidkazeVIPpmwBukT9uSj/Q+/Nd5koE9H9jmvRfJb0/ExcSMgi
XOPoPiHhgX6P9oUIPzjFL9ZpRF3QDIbxuEGV1VLt9l8DZQnrcJWIJ47fnvxTJtE9
OMPWS6qD8o4Ui18vJFJl/9sC5ZDdnmziWyMSLMWYNZg06cwMEWgJZChW2c04OCzN
OzMzbaIxLpuDAWGVTbq4+6D7j3IJU5w7ZhFq48k1YCJ3tpWVm75hmiW0w4NBuqFB
axdtJD4K2MDTaEDvqEg7o2MQJ+DbGaGpVKrYnTmh3llSmuBb4ImtfDhxuA6K7fTL
pdy60x8ml4Kqq6doNy3cSBGlk42FWtY2kuqxF1+1b8/sXnW16j915Y9bnBYGxFBN
9zOieb6hPxF23W8kzkvxXOup4/0znTs7hJe8II36uyaOg1Wbc1MjhMUoHOkGtHcz
Pqm9zH8bT5uV4WonaIbEZyNSkDUuZfbQmyKllFT5Gt3BSU30CM8=
=64E7
-----END PGP SIGNATURE-----