[Snyk] Upgrade execa from 5.1.1 to 9.5.2

[snyk-io]

Snyk has created this PR to upgrade execa from 5.1.1 to 9.5.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 20 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	207	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	207	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	207	Proof of Concept
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	207	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-WEBPACK-7840298	207	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	207	No Known Exploit
	Cross-site Scripting SNYK-JS-EXPRESS-7926867	207	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-FINDMYWAY-8055229	207	No Known Exploit
	Cross-site Request Forgery (CSRF) SNYK-JS-HONO-8220272	207	Proof of Concept
	Cross-site Scripting SNYK-JS-SEND-7926862	207	No Known Exploit
	Cross-site Scripting SNYK-JS-SERVESTATIC-7926865	207	No Known Exploit
	Cross-Site Request Forgery (CSRF) SNYK-JS-HONO-7814167	207	Proof of Concept

Release notes

Package name: execa

• 9.5.2 - 2024-12-07
  

  Bug fixes

  • Fix escaping newlines inside template strings. Thanks @ aarondandy! (#1176)
• 9.5.1 - 2024-10-29
  

  Bug fixes

  • Fix odd characters being printed in verbose mode on Windows (thanks @ IIIMADDINIII). (#1167)
• 9.5.0 - 2024-10-27
  

  Features

  • When redirecting stdout or stderr to a file, allow appending instead of overwriting. (#1166)

  await execa({stdout: {file: 'output.txt', append: true}})`npm run build`;

• 9.4.1 - 2024-10-16
  

  Bug fixes

  • Fix using process.execPath with Deno. Thanks @ w3cj! (#1160)
• 9.4.0 - 2024-09-16
  

  Features

  • We've created a separate package called nano-spawn. It is similar to Execa but with fewer features, for a much smaller package size. More info.

  Bug fixes

  • Both execaNode() and the preferLocal option modify the PATH environment variable. This release includes some minor improvements to ensure that environment variable remains small (sindresorhus/npm-run-path#20). It also handles a few related edge cases better (sindresorhus/npm-run-path#21).

  Documentation

  • Small documentation typo fix, thanks @ rrthomas! (#1153)
• 9.3.1 - 2024-08-14
  

  Thanks @ holic and @ jimhigson for your contributions!

  Bugs

  • Do not crash when using a custom Node.js binary without ICU support. (#1144)

  Bugs (types)

  • Fix type of the env option. It was currently failing for Remix or Next.js users. (by @ holic) (#1141)

  Documentation

  • Fix typo in "Inputs" documentation. (by @ jimhigson) (#1145)
  • Document how to terminate hanging subprocesses. (#1140)
  • Document how to add custom logging. (#1131)
• 9.3.0 - 2024-06-21
  

  Features

  • The verbose option can now be a function to customize logging. (#1130)
• 9.2.0 - 2024-06-06
  

  This release includes a new set of methods to exchange messages between the current process and a Node.js subprocess, also known as "IPC". This allows passing and returning almost any message type to/from a Node.js subprocess. Also, debugging IPC is now much easier.

  Moreover, a new gracefulCancel option has also been added to terminate a subprocess gracefully.

  For a deeper dive-in, please check and share the release post!

  Thanks @ iiroj for your contribution, @ SimonSiefke and @ adymorz for reporting the bugs fixed in this release, and @ karlhorky for improving the documentation!

  Deprecations

  • Passing 'ipc' to the stdio option has been deprecated. It will be removed in the next major release. Instead, the ipc: true option should be used. (#1056)

  - await execa('npm', ['run', 'build'], {stdio: ['pipe', 'pipe', 'pipe', 'ipc']});
  + await execa('npm', ['run', 'build'], {ipc: true});

  • The execaCommand() method has been deprecated. It will be removed in the next major release. If most cases, the template string syntax should be used instead.
  - import {execaCommand} from 'execa';
  + import {execa} from 'execa';

  - await execaCommand('npm run build');
  + await execanpm run build;

  const taskName = 'build';
  - await execaCommand(npm run ${taskName});
  + await execanpm run ${taskName};

  const commandArguments = ['run', 'task with space'];
  await execanpm ${commandArguments};

  If the file and/or multiple arguments are supplied as a single string, parseCommandString(command) can split that string into an array. More info. (#1054)

  - import {execaCommand} from 'execa';
  + import {execa, parseCommandString} from 'execa';

  const commandString = 'npm run task';
  - await execaCommand(commandString);
  + const commandArray = parseCommandString(commandString); // ['npm', 'run', 'task']
  + await execa${commandArray};

  // Or alternatively:
  const [file, ...commandArguments] = commandArray;
  await execa(file, commandArguments);

  Features

  • Add gracefulCancel option and getCancelSignal() method to terminate a subprocess gracefully. error.isGracefullyCanceled was also added. (#1109)
  • Add error.isForcefullyTerminated. It is true when the subprocess was terminated by the forceKillAfterDelay option. (#1111)
  • New methods to simplify exchanging messages between the current process and the subprocess. More info. (#1059, #1061, #1076, #1077, #1079, #1082, #1083, #1086, #1087, #1088, #1089, #1090, #1091, #1092, #1094, #1095, #1098, #1104, #1107)
    • The current process sends messages with subprocess.sendMessage(message) and receives them with subprocess.getOneMessage(). subprocess.getEachMessage() listens to multiple messages.
    • The subprocess uses sendMessage(message), getOneMessage() and getEachMessage() instead. Those are the same methods, but imported directly from the 'execa' module.
  • The ipcInput option sends an IPC message from the current process to the subprocess as it starts. This enables passing almost any input type to a Node.js subprocess. (#1068)
  • The result.ipcOutput array contains all the IPC messages sent by the subprocess to the current process. This enables returning almost any output type from a Node.js subprocess. (#1067, #1071, #1075)
  • The error message now contains every IPC message sent by the subprocess. (#1067)
  • The verbose: 'full' option now logs every IPC message sent by the subprocess, for debugging. More info here and there. (#1063)

  Types

  • Add ExecaMethod, ExecaNodeMethod and ExecaScriptMethod, ExecaSyncMethod and ExecaScriptSyncMethod types. (#1066)
  • Export the Message type, for IPC. (#1059)
  • Fix type of forceKillAfterDelay: true option. (#1116)

  Bug fixes

  • Fix passing a {file} to both the stdin and the stdout or stderr options. (#1058)
  • Fix multiple minor problems with the cancelSignal option. (#1108)
  • Fix accidental publishing of Vim backup files. (#1074)
  • Fix engines.node field in package.json. Supported Node.js version is ^18.19.0 or >=20.5.0. (by @ iiroj) (#1101)
• 9.1.0 - 2024-05-13
  

  Features (types)

  • Export TemplateExpression type. (#1049)
• 9.0.2 - 2024-05-10
  

  Bug fixes (types)

  • Do not require using --lib dom for TypeScript users (#1043, #1044)
  • Fix type of the reject option (#1046)
• 9.0.1 - 2024-05-09
• 9.0.0 - 2024-05-08
• 8.0.1 - 2023-08-19
• 8.0.0 - 2023-08-19
• 7.2.0 - 2023-07-27
• 7.1.1 - 2023-03-14
• 7.1.0 - 2023-03-11
• 7.0.0 - 2023-02-11
• 6.1.0 - 2022-02-13
• 6.0.0 - 2021-11-17
• 5.1.1 - 2021-06-04

from execa GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
package.json	40% smaller