Shelljs is a popular Node.js library providing cross-platform Unix shell commands, streamlining tasks like file manipulation, process execution, and working with directories within JavaScript environments and npm scripts. Version 0.2.6 was released on September 22, 2013, building upon the functionality of its predecessor, version 0.2.5, released on September 11, 2013.
The primary difference between these two versions lies in their development dependencies. Version 0.2.6 upgrades the jshint dependency to ~2.1.11, whereas version 0.2.5 uses jshint version ~1.1.0. This upgrade signifies improvements in code quality checks, potentially offering developers more robust linting capabilities to catch errors and enforce coding standards. Though both versions expose the same core shell commands for simplified script writing, this update to jshint ensures continued alignment with evolving JavaScript best practices. This is a good upgrade for any project ensuring code quality and preventing future errors. Both versions are lightweight with no mandatory dependencies required to run to offer simple and effective shell commands.
All the vulnerabilities related to the version 0.2.6 of the package
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
