cross-spawn-async - npm Package Compare versions

Comparing version 2.2.1 to 2.2.2

lib/parse.js

@@ -42,10 +42,11 @@ var fs             = require('fs');
 
-function escapeArg(arg, skipQuote) {
+function escapeArg(arg, quote) {
     // Convert to string
     arg = '' + arg;
 
-    // Escaped based on: http://qntm.org/cmd
-    // Unless we're told otherwise, don't quote unless we actually need to do so,
-    // hopefully avoid problems if programs won't parse quotes properly
-    if (!skipQuote && (!arg || /[\s"]/.test(arg))) {
+    // If we are not going to quote the argument,
+    // escape shell metacharacters, including double and single quotes:
+    if (!quote) {
+        arg = arg.replace(/([\(\)%!\^<>&|;,"'\s])/g, '^$1');
+    } else {
         // Sequence of backslashes followed by a double quote:
@@ -66,11 +67,15 @@ // double up all the backslashes and escape the double quote
 
-    // Finally escape shell meta chars
-    arg = arg.replace(/([\(\)%!\^<>&|;,"'\s])/g, '^$1');
-
     return arg;
 }
 
+function escapeCommand(command) {
+    // Do not escape if this command is not dangerous..
+    // We do this so that commands like "echo" or "ifconfig" work
+    // Quoting them, will make them unaccessible
+    return /^[a-z0-9_-]+$/i.test(command) ? command : escapeArg(command, true);
+}
+
 function parseCall(command, args, options) {
     var shebang;
-    var skipQuotes;
+    var applyQuotes;
     var file;
@@ -101,6 +106,6 @@ var original;
         // Escape command & arguments
-        skipQuotes = command === 'echo';  // Do not quote arguments for the special "echo" command
-        command = escapeArg(command);
+        applyQuotes = command !== 'echo';  // Do not quote arguments for the special "echo" command
+        command = escapeCommand(command);
         args = args.map(function (arg) {
-            return escapeArg(arg, skipQuotes);
+            return escapeArg(arg, applyQuotes);
         });
@@ -107,0 +112,0 @@

package.json

 {
   "name": "cross-spawn-async",
-  "version": "2.2.1",
+  "version": "2.2.2",
   "description": "Cross platform child_process#spawn",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

@@ -45,3 +45,3 @@ # cross-spawn-async
 
-var process = spawn('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' });
+var child = spawn('npm', ['list', '-g', '-depth', '0'], { stdio: 'inherit' });
 ```
@@ -48,0 +48,0 @@

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Fixed alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

12932

increased by1.21%

Lines of code

191

increased by2.69%

Worsened metrics

Number of low supply chain risk alerts

5

increased by25%

No dependency changes