This is an automated email from the ASF dual-hosted git repository.
erisu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cordova-android.git
The following commit(s) were added to refs/heads/master by this push:
new 8f458b04 feat: Account for Node security patch (#1778)
8f458b04 is described below
commit 8f458b042bd61a779eec19516a9ec51e38e56c5e
Author: Andrii Kurdiumov <kant2...@gmail.com>
AuthorDate: Tue Feb 18 16:53:18 2025 +0500
feat: Account for Node security patch (#1778)
As of
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2#command-injection-via-args-parameter-of-child_processspawn-without-shell-option-enabled-on-windows-cve-2024-27980---high
Cordova produce unrecognized error on Windows.
Fixes: https://github.com/apache/cordova-cli/issues/456
---------
Co-authored-by: Norman Breau <nor...@breautek.com>
---
lib/check_reqs.js | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/check_reqs.js b/lib/check_reqs.js
index 903f3e4c..2422296b 100644
--- a/lib/check_reqs.js
+++ b/lib/check_reqs.js
@@ -110,7 +110,9 @@ module.exports.get_gradle_wrapper = function () {
let program_dir;
// OK, This hack only works on Windows, not on Mac OS or Linux. We will
be deleting this eventually!
if (module.exports.isWindows()) {
- const result = execa.sync(path.join(__dirname, 'getASPath.bat'));
+ // "shell" option enabled for CVE-2024-27980 (Windows) Mitigation
+ // See
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases-2 for
more details
+ const result = execa.sync(path.join(__dirname, 'getASPath.bat'), {
shell: true });
// console.log('result.stdout =' + result.stdout.toString());
// console.log('result.stderr =' + result.stderr.toString());
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cordova.apache.org
For additional commands, e-mail: commits-h...@cordova.apache.org
