This really doesn’t seem like a vulnerability in shelljs either. The functionality provided by the “exec” call is intended to allow an application using the library to execute an arbitrary command. If an application doesn’t sanitize input before calling then the application itself has the security vulnerability not the library. If this were not the case then Nodejs itself would have the same security vulnerability report since it also provides the same functionality (which this library actually uses to implement its functionality).

Hi all, I work on ShellJS.

Shelljs are not able to provide a timeline on this fix. shelljs/shelljs#495

I think you misunderstood. This is not a fix, it’s my project to implement a feature request. Landing that PR will not “fix” the “vulnerability.” I acknowledge I haven’t provided a timeline for the feature: my time for ShellJS is very limited and must balance feature work with other work for the module. As such, I have no clue when I can finish that feature, or if a satisfactory solution is even technically feasible.

I completely understand it’s not your responsibility per se, but I ask you to consider removing shelljs as a dependency. Having a High threat vulnerability, even a false positive, for an indefinite future could hurt or hinder adoption.

I agree with what the Angular team has expressed on this thread. The resolution should be for Snyk and similar services to remove this false positive and flag modules which misuse shell.exec()/child_process.exec(), rather than flagging ShellJS itself (we can’t “fix” exec(), we just hope to eventually deprecate it).

I don’t know how much work it’d be, but considering you only use cp, mkdir, and mv, it hopefully wouldn’t take a ton of time.

We’ve spent years working to get the semantics right for these bash commands, and are still working hard to get proper coverage/behavior. Rewriting from scratch would probably introduce a lot of deviations from the POSIX behavior (and copy-paste might create license issues). So, while I can’t stop folks from doing this, I would strongly advise against adding error-prone implementations to replace existing solutions.

I contacted Snyk about this, and got the following response

Thanks for reaching out @SanderElias! Reading the quoted response, it might be misinterpreted as Snyk is waiting on action from me. My last communication with them was prior to your comment, but they said they need no action from ShellJS or me and they’re not currently ready to take down this vulnerability report. But I’m happy to help out within reason if they need further action from ShellJS.