Shelljs offers a cross-platform solution for executing Unix shell commands within Node.js environments, streamlining scripting and automation tasks. Version 0.6.1 represents a minor update to the shelljs library compared to its predecessor, version 0.6.0. Both versions share the same core functionality, dependencies (none), and developer tooling indicated by the identical devDependencies: "jshint":"~2.1.11" for code quality checking and "coffee-script":"^1.10.0" likely used in legacy parts of the build processes. They are released under the BSD-3-Clause license.
The key distinction lies in their release dates. Version 0.6.0 saw its release on February 5th, 2016, while version 0.6.1 was published on August 6th, 2016. This six-month gap suggests that version 0.6.1 incorporates bug fixes, performance improvements, or minor enhancements accumulated since the previous stable release. Considering the similarity in package definitions, developers currently using 0.6.0 may consider upgrading to 0.6.1 to benefit from these potential refinements and ensure they're running the most up-to-date, stable iteration of the library. Both point to the same repository. Both versions share the same author.
All the vulnerabilities related to the version 0.6.1 of the package
Improper Privilege Management in shelljs
shelljs is vulnerable to Improper Privilege Management
Improper Privilege Management in shelljs
Output from the synchronous version of shell.exec() may be visible to other users on the same system. You may be affected if you execute shell.exec() in multi-user Mac, Linux, or WSL environments, or if you execute shell.exec() as the root user.
Other shelljs functions (including the asynchronous version of shell.exec()) are not impacted.
Patched in shelljs 0.8.5
Recommended action is to upgrade to 0.8.5.
https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/
If you have any questions or comments about this advisory:
