Vulnerability with cross-spawn dependency - severity high

[iamkevinv]

Just raising the advisory here about the ReDoS vuln reported via npm audit, hoping to get a package update to @prisma/internals@^5.22.0 and @prisma/generator-helper@^5.22.0

The advisory details were:

cross-spawn 7.0.0 - 7.0.4
Severity: high
Regular Expression Denial of Service (ReDoS) in cross-spawn - GHSA-3xgq-45jj-v275

[iamkevinv]

Started prepping a PR, but noticed npm run dev was throwing type errors that i'm not familiar with how to resolve immediately, though all the tests are passing. Sorry i'm not sure how to proceed.

> prisma-dbml-generator@0.12.0 dev
> tsc -p . && npm run prisma:generate

node_modules/@prisma/fetch-engine/dist/getProxyAgent.d.ts:1:32 - error TS2307: Cannot find module 'http-proxy-agent' or its corresponding type declarations.

1 import { HttpProxyAgent } from 'http-proxy-agent';
                                 ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/fetch-engine/dist/getProxyAgent.d.ts:2:33 - error TS2307: Cannot find module 'https-proxy-agent' or its corresponding type declarations.

2 import { HttpsProxyAgent } from 'https-proxy-agent';
                                  ~~~~~~~~~~~~~~~~~~~

node_modules/@prisma/get-platform/dist/test-utils/jestContext.d.ts:3:32 - error TS2307: Cannot find module 'fs-jetpack/types' or its corresponding type declarations.

3 import type { FSJetpack } from 'fs-jetpack/types';
                                 ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/getEnginesMetaInfo.d.ts:2:20 - error TS2307: Cannot find module 'fp-ts/Either' or its corresponding type declarations.

2 import * as E from 'fp-ts/Either';
                     ~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/getEnginesMetaInfo.d.ts:3:20 - error TS2307: Cannot find module 'fp-ts/Option' or its corresponding type declarations.

3 import * as O from 'fp-ts/Option';
                     ~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/getEngineVersion.d.ts:2:21 - error TS2307: Cannot find module 'fp-ts/TaskEither' or its corresponding type declarations.

2 import * as TE from 'fp-ts/TaskEither';
                      ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/engine-commands/queryEngineCommons.d.ts:1:21 - error TS2307: Cannot find module 'fp-ts/TaskEither' or its corresponding type declarations.

1 import * as TE from 'fp-ts/TaskEither';
                      ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/get-generators/generatorResolvers/prisma-client-js/auto-installation/getPackageCmd.d.ts:1:25 - error TS2307: Cannot find module '@antfu/ni' or its corresponding type declarations.

1 import { Command } from '@antfu/ni';
                          ~~~~~~~~~~~

node_modules/@prisma/internals/dist/resolveBinary.d.ts:2:21 - error TS2307: Cannot find module 'fp-ts/TaskEither' or its corresponding type declarations.

2 import * as TE from 'fp-ts/TaskEither';
                      ~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/tracing/types.d.ts:1:49 - error TS2307: Cannot find module '@opentelemetry/api' or its corresponding type declarations.

1 import type { Context, Span, SpanOptions } from '@opentelemetry/api';
                                                  ~~~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/utils/fs-functional.d.ts:1:20 - error TS2307: Cannot find module 'fp-ts/lib/Task' or its corresponding type declarations.

1 import * as T from 'fp-ts/lib/Task';
                     ~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/utils/fs-functional.d.ts:2:21 - error TS2307: Cannot find module 'fp-ts/lib/TaskEither' or its corresponding type declarations.

2 import * as TE from 'fp-ts/lib/TaskEither';
                      ~~~~~~~~~~~~~~~~~~~~~~

node_modules/@prisma/internals/dist/utils/tryLoadEnvs.d.ts:1:20 - error TS2307: Cannot find module 'dotenv' or its corresponding type declarations.

1 import dotenv from 'dotenv';
                     ~~~~~~~~

src/generator/dbml.ts:20:5 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.

20     dmmf.datamodel.models,
       ~~~~~~~~~~~~~~~~~~~~~

src/generator/dbml.ts:25:32 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.

25     ? generateManyToManyTables(dmmf.datamodel.models, mapToDbSchema)
                                  ~~~~~~~~~~~~~~~~~~~~~

src/generator/dbml.ts:27:31 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>>>[]' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>[]'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>>>[]' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; values: ReadonlyDeep<{ name: string; dbName: string | null; }>[]; dbName?: string | null | undefined; documentation?: string | undefined; }>[]'.

27   const enums = generateEnums(dmmf.datamodel.enums);
                                 ~~~~~~~~~~~~~~~~~~~~

src/generator/dbml.ts:28:34 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; ... 10 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenera...' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; fields: ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; ... 9 more ...; documentation?: string | undefined; }>[]; ... 4 more ...; isGenerat...'.

28   const refs = generateRelations(dmmf.datamodel.models, mapToDbSchema);
                                    ~~~~~~~~~~~~~~~~~~~~~

src/generator/enums.ts:5:54 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; }>>[]' is not assignable to parameter of type 'ReadonlyDeep<{ name: string; dbName: string | null; }>[]'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<{ name: string; dbName: string | null; }>>[]' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ name: string; dbName: string | null; }>[]'.

5     (e) => `Enum ${e.name} {\n` + generateEnumValues(e.values) + '\n}',
                                                       ~~~~~~~~

src/generator/relations.ts:39:11 - error TS2345: Argument of type 'readonly string[]' is not assignable to parameter of type 'string[]'.
  The type 'readonly string[]' is 'readonly' and cannot be assigned to the mutable type 'string[]'.

39           field.relationFromFields!,
             ~~~~~~~~~~~~~~~~~~~~~~~~~

src/generator/relations.ts:41:11 - error TS2345: Argument of type 'readonly string[]' is not assignable to parameter of type 'string[]'.
  The type 'readonly string[]' is 'readonly' and cannot be assigned to the mutable type 'string[]'.

41           field.relationToFields!!,
             ~~~~~~~~~~~~~~~~~~~~~~~~

src/generator/table.ts:20:9 - error TS2345: Argument of type 'readonly ReadonlyDeep<ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>>[]' is not assignable to parameter of type 'ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>[]'.
  The type 'readonly ReadonlyDeep<ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>>[]' is 'readonly' and cannot be assigned to the mutable type 'ReadonlyDeep<{ kind: FieldKind; name: string; isRequired: boolean; isList: boolean; isUnique: boolean; isId: boolean; isReadOnly: boolean; isGenerated?: boolean | undefined; isUpdatedAt?: boolean | undefined; ... 8 more ...; documentation?: string | undefined; }>[]'.

20         model.fields,
           ~~~~~~~~~~~~

src/generator/table.ts:35:61 - error TS2345: Argument of type 'readonly (readonly string[])[]' is not assignable to parameter of type 'string[][]'.
  The type 'readonly (readonly string[])[]' is 'readonly' and cannot be assigned to the mutable type 'string[][]'.

35   const hasCompositeUniqueIndex = hasCompositeUniqueIndices(model.uniqueFields);
                                                               ~~~~~~~~~~~~~~~~~~

src/generator/table.ts:37:64 - error TS2345: Argument of type 'readonly string[] | undefined' is not assignable to parameter of type 'string[] | undefined'.
  The type 'readonly string[]' is 'readonly' and cannot be assigned to the mutable type 'string[]'.

37     ? `\n\n  ${DBMLKeywords.Indexes} {\n${generateTableBlockId(primaryFields)}${
                                                                  ~~~~~~~~~~~~~

src/generator/table.ts:39:44 - error TS2345: Argument of type 'readonly (readonly string[])[]' is not assignable to parameter of type 'string[][]'.
  The type 'readonly (readonly string[])[]' is 'readonly' and cannot be assigned to the mutable type 'string[][]'.

39       }${generateTableCompositeUniqueIndex(model.uniqueFields)}\n  }`
                                              ~~~~~~~~~~~~~~~~~~


Found 24 errors in 14 files.

Errors  Files
     2  node_modules/@prisma/fetch-engine/dist/getProxyAgent.d.ts:1
     1  node_modules/@prisma/get-platform/dist/test-utils/jestContext.d.ts:3
     2  node_modules/@prisma/internals/dist/engine-commands/getEnginesMetaInfo.d.ts:2
     1  node_modules/@prisma/internals/dist/engine-commands/getEngineVersion.d.ts:2
     1  node_modules/@prisma/internals/dist/engine-commands/queryEngineCommons.d.ts:1
     1  node_modules/@prisma/internals/dist/get-generators/generatorResolvers/prisma-client-js/auto-installation/getPackageCmd.d.ts:1
     1  node_modules/@prisma/internals/dist/resolveBinary.d.ts:2
     1  node_modules/@prisma/internals/dist/tracing/types.d.ts:1
     2  node_modules/@prisma/internals/dist/utils/fs-functional.d.ts:1
     1  node_modules/@prisma/internals/dist/utils/tryLoadEnvs.d.ts:1
     4  src/generator/dbml.ts:20
     1  src/generator/enums.ts:5
     2  src/generator/relations.ts:39
     4  src/generator/table.ts:20