Update shelljs to 0.8.5 to mitigate the vulnerability GHSA-64g7-mvw6-v9qj

[kapi-caz]

Hi!

loki-core uses shelljs in version 0.8.3 which has the vulnerability GHSA-64g7-mvw6-v9qj. There are no braking changes mentioned in 0.8.4 and 0.8.5 here. I checked out the code, updated shelljs and run the unit tests and didn't found an issue. Due to missing permissions I couldn't create a PR.

Thanks for your work!

[techeverri]

[...] Due to missing permissions I couldn't create a PR.

You have to fork the repository first. It should work as expected after that.
Feel free to create a pull request 👍

[kapi-caz]

[...] Due to missing permissions I couldn't create a PR.

You have to fork the repository first. It should work as expected after that. Feel free to create a pull request 👍

Thanks! It's my first contribution to any open source project, hence didn't thought about forking!

[techeverri]

There is something I just realized reading the report below 👇
🔗 https://huntr.dev/bounties/50996581-c08e-4eed-a90e-c0bac082679c/

If ShellJS scripts running locally are using ShellJS exec function, local users on the filesystem can read the stdout of the running ShellJS process to disclose sensitive information present in the privileged process.

We don't use the exec function. We only use the which method.

loki/packages/core/src/dependency-detection.js

Lines 15 to 17 in f7d5e65

	function dependencyAvailable(dependency) {
	return !!shell.which(dependency);
	}

So Loki is not really affected by shelljs/shelljs#1058 and the patch shelljs/shelljs#1060 doesn't really change anything for Loki from a code perspective.

What do you think? @oblador

[oblador]

Yeah, and also Loki's version is not locked to the vulnerable version. Simply update your project's lockfile, no change is really needed in Loki.