git-pull-or-clone@2.0.1 vulnerabilities

Ensure a git repo exists on disk and that it's up-to-date

Direct Vulnerabilities

Known vulnerabilities in the git-pull-or-clone package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

git-pull-or-clone is an Ensure a git repo exists on disk and that it's up-to-date

Affected versions of this package are vulnerable to Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') due to the use of the --upload-pack feature of git which is also supported for git clone. The source includes the use of the secure child process API spawn(). However, the outpath parameter passed to it may be a command-line argument to the git clone command and result in arbitrary command injection.

How to fix Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')?

Upgrade git-pull-or-clone to version 2.0.2 or higher.

<2.0.2