cross-spawn vulnerability

[anastasiagryshchenko]

Current version of cross-spawn package has security vulnerability

cross-spawn <6.0.6 || >=7.0.0 <7.0.5
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - GHSA-3xgq-45jj-v275
Regular Expression Denial of Service (ReDoS) in cross-spawn - GHSA-3xgq-45jj-v275

It is likely not exploitable, but it triggers security scanners.
Thank you for looking into it!
Слава Україні :)

[Sid-Blommers]

Apparently the vue-sfc-parser package is in a repository registry with an invalid certificate since January 21 2024. This prevents updating the vulnerable package.

vue-sfc-parser -> verbose stack FetchError: request to https://registry.npm.taobao.org/vue-sfc-parser/download/vue-sfc-parser-0.1.2.tgz failed, reason: certificate has expired